What's the problem?

I want to deploy a plain HTML/CSS/JS website with the minimal amount of fuss. I'm going to be using it for a simple web-app so I want to make sure its always up and always working as well.

There's many different ways of deploying websites with mostly static content.

• You could run a server using nginx/apache to serve files out of a directory, for example. This type of setup works fine for small setups, but starts to grow out of hand.
  • you'll need to keep your versions of your web server up to date to pull in any security updates for nginx/apache
  • you'll need to keep your OS patched with the latest security updates
  • you have servers to manage that need to be highly available
  • your servers are susceptible to attacks and you'll need to be defensive with your security
• You can always use hosted services to achieve some of this, but what's the fun in that? You're here to learn how to build solutions on AWS.

What's the solution?

Here's the features we want for our website

• a main website that will be accessible at https://www.mysite.com
• a redirect from https://mysite.com -> https://www.mysite.com
• an HTML/CSS/JS project

AWS provides a number of services to make this easy. We'll be using:

• S3 to host our static content
• CloudFront to act as a Content Delivery Network to provide faster speeds to end-users
• Route53 to purchase and manage your domain
• Cloudwatch to monitor traffic flowing to your website
• Amazon Certificate Manager for free SSL certificates

A lot of guides online will tell you, "You want to learn AWS? Get a free account and use Cloudformation to deploy everything!". That's fine advice if you're already familiar with building things on AWS. But if you're interacting with a new AWS service, it's helpful to set it up manually the first time so you can see which services are dependent on what information. (Check out Part 2 here)

For the purposes of this tutorial, we'll be setting it all up manually to familiarize ourselves with the above AWS services.

Why not just use a plain S3 website?

Unfortunately, S3 configured as a website doesn't support https by itself, so you need to add Cloudfront to the mix in order to get support for https.

Get started

Create the S3 bucket

1. Create 2 S3 buckets – one for your access logs first, and then one for your app. In this case, I’m making dperez-test-bucket-logs and dperez-test-bucket. The logs bucket can have all the default AWS settings, so you can click next through the wizard. Then create the bucket for your application.

2. Configure the bucket to send access logs to another bucket for monitoring

Configure your bucket

1. Configure the bucket as a website and set the default index document. Notice that the URL is a really long URL hosted under Amazon's domain. You'll likely want to have your users see your domain instead of Amazon's in the browser bar. More on that later.
2. Use the aws-cli to deploy your project to S3

☁  s3-project [master] ⚡ ll
total 4.0K
drwxr-xr-x 3 dperez 102 Apr 22 19:52 ./
drwxr-xr-x 9 dperez 306 Apr 22 19:52 ../
-rw-r--r-- 1 dperez  52 Apr 22 19:52 index.html
☁  s3-project [master] ⚡ aws s3 ls | grep dperez
2018-04-22 19:42:23 dperez-test-bucket
2018-04-22 19:39:53 dperez-test-bucket-logs
☁  s3-project [master] ⚡ aws s3 sync . s3://dperez-test-bucket/
upload: ./index.html to s3://dperez-test-bucket/index.html
☁  s3-project [master] ⚡

After finishing clicking the buttons for these steps, you should have a URL that you can access to see your site! Find the URL provided by S3 and visit your new website.

More configuration

• The first error you'll see is a 403 Forbidden page. This is because your bucket is not public yet. The bucket itself can have a policy attached to it, when we're creating websites, we want the bucket to be public on purpose. That does mean that you need to make sure to not keep any credentials in a public S3 bucket. Go to your bucket > Permissions > Bucket Policy and add the following IAM policy (make sure to swap out dperez-test-bucket for your buckets name.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicRead",
      "Principal": "*",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::dperez-test-bucket/*"
    }
  ]
}

The bucket is public. This is expected and intentional when deploying this website, but worth calling out after the long string of "hacks" where data was leaked out of misconfigured buckets. However, as long as the bucket is public, the general internet will be crawling your website both under your pretty domain, as well as via the bucket directy. We'll fix this to make sure your viewers are only seeing your branded domain and website.

Looking at logs

• Take a look at the files that were dropped off in your access logs bucket. You'll see that it contains a bunch of log lines telling you who accessed your website, what they requested, how long it took, etc.

Create certificates to support HTTPS URLs

We can get free certificates from Amazon Certificate Manager. They offer a few different ways of verifying your identity to prove that you own the domain you want a certificate for. Create a certificate for the domain you want your users to view. We'll need this later.

• Confirm an email that gets sent to the contact info for your domain - billing@mysite.com for example.
• If you have control over the DNS, you can insert a CNAME record containing an ID that Route53 provides. As soon as the record exists, the certificate gets created.

Set up CloudFront as a CDN

Now we can create the Cloudfront distribution and finish connecting the pieces together.

1. Create an Origin Access Identity. We'll be using this later to further lock down access to our bucket.
2. Create the distribution.

• For origin: the origin of the distribution will be set to your S3 bucket, so any request hitting your domain will first be received by CloudFront, and if it doesn't exist in the cache, it will grab the object from S3. Specify the Origin Access Identity that you created earlier. Also make sure to set "Grant Read Permissions on Bucket" to "Yes, Update Bucket Policy". This will update the permissions on our S3 bucket to allow Cloudfront to connect to it.
• Cache Behavior: CloudFront acts as a cache, so for the purposes of this example, we can leave all the defaults here except for "Viewer Protocol Policy". You'll want to set that to Redirect HTTP to HTTPS.
  • Domain & Certificate: For Alternate Domain Names (CNAMEs), use the URL that you want your viewers to use. Choose the certificate for your site that you provisioned via ACM.

Check out what Cloudfront did to your bucket policy

Because we're going to be using Cloudfront for this application, we can keep the bucket private for an additional layer of security and only accessible by Cloudfront by using a feature called an Origin Access Identity. Cloudfront will create a randomized string that it will use to make authenticated requests to the S3 bucket. When your S3 bucket receives the request, it will check to make sure that it is the same string and if so, will allow Cloudfront to read your files.

Go to Permissions > Bucket Policy to see the updated IAM policy.

Update your Route53 Domain to map to your CloudFront distribution

• When creating your record, make sure to use an Alias record. The advantage of using an Alias record over a CNAME, is that DNS queries to R53 for Alias records are free and it's one less DNS query than using a CNAME. Here's what it looks like for one of my domains.
• Once your DNS has been updated, wait for DNS to propagate, and test out your new site to verify your requirements

Be aware of the constraints of this setup

• CloudFront acts as a cache in front of S3. If you deploy new files to S3 and you refresh your website, you may or may not see the new content depending on the TTL of your cache. There's a balance to strike between setting a low TTL like 0 and a high TTL like 1 hour (a TTL of 0 is a feature itself that we'll dive into another time).
• Amazon Certificates can only be used on AWS. You cannot export your certificate's private key out of AWS. It's generally fine if you're using AWS anyway, but if you need to be vendor independent, use Let's Encrypt's free certificates. There's no reason anymore to be paying for certificates.
• CloudFront has some limitations around what headers you're able to use
  • Setting cache-control headers has to be added as metadata on your S3 object
  • Adding custom security headers like X-Frame-Origin, Strict-Transport-Security is not supported directly via CloudFront but can be added via Lambda@Edge

Go to Part 2

Check out Part 1

• a main website that is hosted at a www. subdomain
• an html/js/css app that is hosted in an S3 bucket
• a cloudfront distribution to give us an https URL
• a certificate that will be used with the cloudfront distribution for that domain
• a series of vanity URLs that will redirect to the main website

Let's start building some terraform

create your project directory

• you need a main.tf to hold all your resources
• you need a variables.tf to hold your inputs to your infrastructure
• you need a var-file to hold the values of your inputs to your infrastructure

create your initial tf files

The main website we want to build is www.example.com.

resource "aws_s3_bucket" "logs" {
  bucket = "${var.site_name}-site-logs"
  acl = "log-delivery-write"
}

resource "aws_s3_bucket" "www_site" {
  bucket = "www.${var.site_name}"

  logging {
    target_bucket = "${aws_s3_bucket.logs.bucket}"
    target_prefix = "www.${var.site_name}/"
  }

  website {
    index_document = "index.html"
  }
}

variables.tf

variable "site_name" {
  description = "My site"
}

var-files/my-site.tf

site_name = "mysite.com"

I believe we learn best when we see how things break! And there's an opportunity to break things here.

Why put access logs in a separate bucket?

Let's make things "easier" by putting access logs in the same bucket as the website. Why should I need 2 buckets?

resource "aws_s3_bucket" "www_site" {
  bucket = "www.${var.site_name}"

  logging {
    target_bucket = "www.${var.site_name}"
  }

  website {
    index_document = "index.html"
  }
}

Plan and apply your terraform, then visit your website directly via the S3 website URL. Refresh the page a few times and then look at the contents of your S3 bucket.

• Your access logs are now also public because they can be accessed via your website URL.
• Your access logs have lengthy and obscure file names and they are clobbering your directory. If you deploy using aws s3 sync to your bucket, you'll wind up deleting your access logs every time you deploy.
• Wait 10 minutes and review the activity in your access logs. You'll notice that the act of creating a file containing your access logs will create an access log of the act of creating a file containing your access logs, and etc, etc, etc.

I've done it before. I was so confused. Use a separate bucket.

Create your certificate

We need a certificate which we can get for free via ACM, but there's a catch

resource "aws_acm_certificate" "cert" {
  domain = "www.example.com"
}

Applying this terraform resource will begin the act of requesting a certificate, but the certificate needs to be approved and created out-of-band. There's 2 ways of handling this scenario

• Don't manage the certificate with terraform. Create it manually and drop the ARN of the certificate wherever you need to use it.
• Manage the certificate with terraform, but create it manually and then use terraform import to import the resource AFTER its been approved and created.

Now we can create the Cloudfront distribution and finish connecting the pieces together:

resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
  comment = "cloudfront origin access identity"
}

resource "aws_cloudfront_distribution" "website_cdn" {
  enabled      = true
  price_class  = "PriceClass_200"
  http_version = "http1.1"
  aliases = ["www.${var.site_name}"]

  origin {
    origin_id   = "origin-bucket-${aws_s3_bucket.www_site.id}"
    domain_name = "www.${var.site_name}.s3.us-east-2.amazonaws.com"

    s3_origin_config {
      origin_access_identity = "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path}"
    }
  }

  default_root_object = "index.html"

  default_cache_behavior {
    allowed_methods = ["GET", "HEAD"]
    cached_methods  = ["GET", "HEAD"]
    target_origin_id = "origin-bucket-${aws_s3_bucket.www_site.id}"

    min_ttl          = "0"
    default_ttl      = "300"                                              //3600
    max_ttl          = "1200"                                             //86400

    // This redirects any HTTP request to HTTPS. Security first!
    viewer_protocol_policy = "redirect-to-https"
    compress               = true

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn      = "${aws_acm_certificate.cert.arn}"
    ssl_support_method       = "sni-only"
  }

}

A few important items here

• aws_cloudfront_origin_access_identity will create and manage that for you in terraform. You can either create and share an origin access identity across multiple distributions, or you can use one origin access identity per distribution.
• A viewer protocol policy redirect-http-to-https to enforce https to site visitors

Lock down the S3 bucket

The bucket policy lets us define the security on the bucket. In this scenario, we can keep the bucket private and only accessible by Cloudfront by using an Origin Access Identity. We can express this in the bucket policy:

main.tf

data "template_file" "bucket_policy" {
  template = "${file("bucket_policy.json")}
  vars {
  	origin_access_identity_arn = "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path}"
  	bucket = "${aws_s3_bucket.www_site.arn}"
  }
}

resource "aws_s3_bucket" "www_site" {
  bucket = "www.${var.site_name}"
  policy = "${data.template_file.bucket_policy.rendered}"
  ...
}

bucket_policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OnlyCloudfrontReadAccess",
      "Principal": {
        "AWS": "${origin_access_identity_arn}"
      },
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::${bucket}/*"
    }
  ]
}

Create the DNS record

main.tf

resource "aws_route53_record" "www_site" {
  zone_id = "${data.aws_route53_zone.site.zone_id}"
  name = "www.${var.site_name}"
  type = "A"
  alias {
    name = "${aws_cloudfront_distribution.website_cdn.domain_name}"
    zone_id  = "${aws_cloudfront_distribution.website_cdn.hosted_zone_id}"
    evaluate_target_health = false
  }
}

Apply your terraform and test it out.

Writing automated tests for your infrastructure

Like any programming project, you want to make sure you have tests for your code. But we're writing terraform and there's no test runner for terraform, or is there?

All we need to be able to test our terraform is just any language that lets us write web requests. We'll create 2 sets of tests to make sure everything is working for mysite.com

Create the tests to verify your bucket configuration

s3_bucket_spec.rb

require 'serverspec'

context 's3 bucket' do

  describe command('aws s3 ls s3://dperez-test-bucket') do
    its(:stdout) { should_match /Access Denied/ }
  end

  describe command('curl -i https://s3.amazonaws.com/dperez-test-bucket') do
    its(:stdout) { should_match /Access Denied/ }
  end
end

context 'cloudfront' do
  describe command('curl -i https://www.mysite.com') do
    its(:stdout) { should_match /200 OK/ }
  end

  describe command('curl -i http://www.mysite.com') do
    its(:stdout) { should_match /301 Redirect/ }
  end
end

Run the tests with rspec to validate the infrastructure you just created.

the lifecycle of the cache

There's a few different ways to configure TTLs on CloudFront

• Use a TTL of 0

Control the cache at your Origin. See this Stack Overflow Question - What is a TTL 0 in Cloudfront Useful for. S3 has that behavior where if an object has not been modified and it has been requested recently, S3 will return a 304 Not Modified response and Cloudfront will continue to use the cached version until S3 says it should update.

• Use a non-zero TTL

Let Cloudfront be in charge of the cache. Things will stay cached in Cloudfront for the duration of your TTL, but see here for what the different TTLs you have available are.

Use Cache Invalidation to bust the cache when you need it. You can invalidate the whole distribution or just a subpath, e.g. /blog. This takes time to propagate as the cache needs to be invalidated at multiple regional locations.

S3 has outages too

S3 has had at least one outage a year, and while they are actively monitoring their services and work hard to bring it back as soon as possible, there's always the chance that your website becomes inaccessible due to issues with S3. If your website brings in sales, then any outage on S3 costs you money. So how do you handle S3 outages?

• Figure out what type of SLA you need to have for your website. You can rely on Cloudfront's cache to give you a window of time before you need to act. For example, if S3 goes down, but your content is cached on Cloudfront, then you can configure it to continue serving content if the origin dies. See this AWS doc for a more in-depth description to make sure you're still up when S3 is down.
• Leverage S3 Bucket Replication. This is a feature of S3 that will propagate changes to a bucket in another region. This alone is not enough to be resilient as there's a whole slew of limitations of S3 & Cloudfront that get in the way
  • Buckets must have the same name as the domain you want to use to access it. If your website is imcool.com, your bucket's name must be imcool.com. This means that you can't have imcool.com in us-east-1 AND us-east-2.
  • If you name your buckets imcool-us-east-1.com and imcool-us-east-2.com, then you won't be able to access them with your 1 domain name imcool.com.
  • A custom domain can only be associated with one Cloudfront distribution at a time. You cannot have Cloudfront-us-east-1 & Cloudfront-us-east-2 both with imcool.com as an alternate CNAME.
  • You can define multiple origins for your distribution but you can only control where certain paths like /assets or /blog get directed to which origins. So /assets should request from my assets origin, while /blog should request from the site origin. But you cannot define something like /* should request from s3-origin-us-east-1 AND (if that is down) /* should request from s3-origin-us-east-2.
  • Other solutions around the internet
  • There is this solution posted by IOpipe involving Cloudfront + R53 Health Checks + S3. The downside here is that if you rely on S3 as a website, it can't reply to HTTPS requests so failover would downgrade you from HTTPS to HTTP.
  • Multi-region load balancers in front of multi-region s3 buckets with cloudfront suggest in a stack overflow answer
  • A pretty good discussion on /r/aws on possibilities and pros/cons of each.

Setting custom headers

S3 lets you configure various headers like cache-control, content-md5 depending on what you want to do with your content. However you are limited to what headers you can set so it doesn't support adding things like X-Frame-Options, or Content-Security-Policy with just S3.

Configure Lambda@Edge to add security headers

Use Lambda@Edge to manipulate the response coming out of Cloudfront. Cloudfront is now offering different hooks where you can attach a Lambda like when receiving a request, or sending a response - see here for their walkthrough for setting this up. You can create a simple Lambda that looks at the response payload sent from the origin back to cloudfront and add whatever headers you'd like to include in the response. You can either set them globally, or apply them conditionally based on context using something like this

'use strict';
exports.handler = (event, context, callback) => {

    //Get contents of response
    const response = event.Records[0].cf.response;
    response.headers['strict-transport-security'] = [{key: 'Strict-Transport-Security', value: 'max-age= 63072000; includeSubdomains; preload'}]; 
    callback(null, response);
}

My first time approaching Chef was after doing Android for about 2 years. Whether you're working on the front-end or backend or even on Mobile, the overall workflow of your application is the same.

• Make changes to your application locally
• Write unit and/or integration tests to verify your changes
• Deploy & verify your changes to a test environment
• Deploy & verify your changes to a prod environment

The setup that I first worked with wasn't too well aligned with that. Feedback loops involved deploying cookbooks to chef-server and re-converging instances in a live environment. Process prevented untested code from making it to production, but it did happen.

The following is my attempt at creating a quick feedback loop when working with cookbooks that makes it easy to approach as an app developer.

Create the source files for your cookbook

You want to create a hello world cookbook to configure a server and then verify that it works.

metadata.rb

name "helloworld"
maintainer       "me"
maintainer_email "me@me"
license          "Apache 2.0"
description      "helloworld"
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version          "0.0.1"

README.md

hello world cookbook

recipes/default.rb

:;Chef::Log.error 'Hello World'

"Build" a cookbook

Enter test-kitchen. It helps you create different types of machines, and execute scripts and tests to verify your configuration.

We can start by creating a .kitchen.yml file containing the configuration we need to get going.

.kitchen.yml

---
driver:
  name: docker

provisioner:
  name: chef_zero
  require_chef_omnibus: latest

platforms:
- name: trusty
  driver_config:
    image: ubuntu:14.04
    platform: ubuntu

suites:
  - name: default
    run_list:
      - "recipe[helloworld::default]"

In this file, we have

• configured the Docker driver. test-kitchen will create a docker container, SSH into it, and execute your test suite. The driver configuration here + the docker image ubuntu-upstart is necessary to work around known issues with docker and upstart/systemd.
• defined your chef context - this could be chef_zero or chef-solo, they're essentially the same except chef_zero pretends to be a chef-server, whereas chef-solo knows he's not.
• defined the platform we want to run on. for the sake of example, we'll run ubuntu 14.04 from the docker registry
• defined the test suite

We're ready to run this through kitchen now. Add a Gemfile.

Gemfile

source 'https://rubygems.org'

gem 'test-kitchen'
gem 'kitchen-docker'
gem 'serverspec'

Run bundle install and then bundle exec kitchen converge. Test kitchen will now start the process of creating a container from your chosen image, it will SSH in, and install the chosen version of chef, and then finally run the recipe you defined in the test suite.

Test your cookbook

You can consider converging to be the equivalent to "running" or "building" a cookbook. If you have a successful converge and you see your Log message "helloworld", then congrats - you've got a hello world cookbook that you can test like any other application. You've created a project, you ran/built it, and you verified your changes.

In terms of the fastest feedback loops, you should:

• Use Chefspec to test that you're telling chef the correct things to do. These will run in a few seconds.
• Use Serverspec that chef did what you told it to. This will take 3-4 minutes using a container.

Adding Chefspec

spec/spec_helper.rb

require 'chefspec'

RSpec.configure do |config|
  config.mock_with :rspec do |mocks|
    mocks.syntax = :expect
  end

  config.platform = 'ubuntu'
  config.version = '14.04'
end

spec/recipes/default_spec.rb

require 'spec_helper'

describe 'hello-world-cookbook::default' do
  let(:chef_run) {
    ChefSpec::SoloRunner.new.converge(described_recipe)
  }

  it 'installs a file' do
    expect(chef_run).to create_file('/tmp/foobar')
  end
end

Run bundle exec rspec spec to start executing Chefspec tests. You'll see the failing test. Fix it by updating recipes/default.rb to create a file with content and watch it go green.

How not to use ChefSpec

it 'creates file' do
  expect(File.new('/tmp/foobar').exists?).to be_truthy
end

This won't work because the chef run only happens in memory as part of chefspec. No changes are actually made to the system. If you're running rspec from your terminal, then the chef run happens in memory on your system on your current OS. When you want to do this type of testing, it's easier to test this stuff in Serverspec.

Adding Serverspec

Add the following files

test/integration/default/serverspec/spec_helper.rb

require 'serverspec'

set :backend, :exec

test/integration/default/serverspec/default_spec.rb

require 'spec_helper'

describe file('/tmp/foobar') do
  it { should be_readable.by_user('root') }
  it { should contain('foo')}
end

Now run bundle exec kitchen verify. test-kitchen will update the container with the new cookbook, execute the cookbook inside the container, upload the test runner inside the container, and then execute the tests. This is a great way to test modifications to the system like if files exist with the correct permissions.

Lint your cookbook

Add rubocop & foodcritic to your project by adding it to your Gemfile,

gem 'rubocop'
gem 'foodcritic'

Rubocop will sniff out smelly parts of your ruby. It occasionally gives you good advice and can be helpful to keep consistent styling. It does need to be tuned lest it constantly complain about long lines.

Run 'bundle exec rubocop' to see what it complains about out of the box. Things like Style/FrozenStringLiteralComment are just not useful.

Foodcritic will look for Chef specific errors in your cookbook. Like if you meant to render a template but forgot to include the template file.

Some of the stuff it complains about I don't care for, so you can always ignore some by adding --tags ~RULE# to your command. You can see what it complains about out of the box by running bundle exec foodcritic ./.

Most of its initial complaints are about fields you should have in your metadata to be a good Chef citizen publishing open-source cookbooks. If you're using them in a private setting, then its just boilerplate.

You've now got an entire development flow for your configuration.

• Build the cookbook by running kitchen converge
• Unit test your Chef logic by running rspec spec with Chefspec
• Run an Integration Test by actually running Chef on the target container
• Lint your cookbook to keep it close to ruby best practices and to catch obvious Chef errors.

Stay tuned for Part 3 where we tie this into a CI workflow.

Debugging SSL issues are tough, especially when I hadn't dealt with them before and no one on the team was too familiar with our setup. I understood that using SSL certificates gives you the green Secure lock in Chrome, but that's about it. All the existing tooling assumes some level of knowledge about what certificates are and how they work. I guess that's fair - but why can't it be noob friendly.

Anyway, here's what I've wound up learning to trace down certificate errors. If nothing else, this is the one website that has everything you need - https://www.sslshopper.com/article-most-common-openssl-commands.html. Judging by the page ranking, I'm sure that website has helped a fair number of people get started with SSL issues.

Finding information about your current certificate

Going to Chrome helps you see certificate information if you're dealing with a web app, but where Chrome fails, you need to view things via the CLI. In my case, I was in the middle of setting up a proof-of-concept setup of the Logstash in the Elasticsearch/Logstash/Kibana centralized logging setup. If you want encrypted communication between your servers and logstash, you need to configure it to use a certificate on a specific port.

To get your website's certificate: openssl s_client -connect my.website.com:443 or in logstash's case openssl s_client -connect logstash.example.com:5044 At the bottom of the output, you'll see whether the certificate checks out and if not, for what reason. Common reasons to see a certificate error

• hostname mismatch. The hostname on the certificate is for foo.bar.com, but you are bar.bar.com.
• expired
• self-signed certificate for a public-facing website

Getting new certificates

This used to be bad news. Before Let's Encrypt came along, this happened to me within my first month or two in a new company and this meant that we had a multi-day turnaround & a $1-2k sticker price for a signed certificate from a public certificate authority. I had to take this path for one of our certs, but fortunately, it was a pre-prod environment so customers didn't incur any downtime.

We had a folder containing a bunch of private keys and public keys, but we couldn't tell which private keys were used to sign which certificates. Using the commands below, you can use the md5's of all pieces of the certificate to verify that they all belong to the same certificate.

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in i-think-its-this.key | openssl md5

If you're on AWS and using some of their services anyway, use the Amazon Certificate Manager. It gives you the same workflow as Let's Encrypt, except you can use the certificates on AWS services. You get free certificates that auto-renew.

Find out who's presenting the certificate

Different places you could find a certificate being presented on AWS:

• A Cloudfront distribution may be presenting a *.cloudfront.net certificate, or if using custom domains, a certificate that you've uploaded to AWS
• Elastic Load Balancers can present a certificate via HTTPS ports and either
  • terminate SSL at the load balancer and send plain text to the backend instance: openssl s_client -connect myservice-xxxx.ec2.amazonaws.com
  • terminate SSL and then validate a different certificate on the backend: openssl s_client -connect 10.0.0.10:443
  • pass the connection via TCP straight to the backend instance and let the instance present the certificate: openssl s_client -connect 10.0.0.10:5000

You can upload your own certificates to IAM. There's no UI for this feature of IAM certificates. You can only upload and browse them via the CLI.

In this section, we're going to set up our new Gatsby project as a blog, add a few posts, and get a blog working locally.

Pre-requisites:

• node v8
• npm
• git

You should be familiar with html, javascript, npm, and the command line. I won't go too far into details about using gatsby - here, I just want to get something half-decent looking on a live environment first. Knowing react may help you extend Gatsby, but you could also get by if you poke around. For the purpose of this tutorial, I don't want to include anything else other than JS.

Get started

Start by installing the gatsby cli and creating a new gatsby project

npm install --global gatsby-cli
gatsby new dannyperez-blog https://github.com/gatsbyjs/gatsby-starter-blog
cd dannyperez-blog

Gatsby Starter packs

Check out the full listing of starter packs here

Gatsby gives you a way of setting up your website using open-source templates. And they have a bunch of different options on that page for different use cases. These are the ones focused on blogs

• gatsby-starter-blog (demo)
• gatsby-starter-blog-no-styles (demo)
• gatsby-blog-starter-kit (demo)
• glitch-gatsby-starter-blog (demo)
• gatsby-starter-personal-blog (demo)
• gatsby-hampton-theme (demo)
• gatsby-starter-minimal-blog (demo)
• gatsby-advanced-blog (demo)
• gatsby-starter-hero-blog (demo)

To get started, we only need the gatsby-cli in this project, and only in development. In this example, I'm going to use gatsby-starter-blog

Make a checkpoint with git

npm install --save-dev gatsby-cli

git init
git add .
git commit -m"Initial commit"

gatsby develop

You should now be able to view your website on localhost:8000

Make some changes

Start personalizing it

• Update components/header.js to update the name of the site as it appears in the header
• Change to YOUR bio
• Add your first blog post by creating a new file with a title
  • The folder name under pages will be the URL that users see in the browser
  • The title: element in index.md is the title that appears in the list of posts, and the header of your blog post page

When you're finally done:

git add .
git commit -m "Personalized the site"

Remember:

• gatsby develop to see the site live on localhost:8000
• gatsby build when you want to prepare your site for publishing, and store it in public/
• gatsby serve when you want to see the prepared site in public/ on localhost:9000

Build the project

gatsby build

This will compile the project since Gatsby uses React. All the code will be generated and dropped into public/ for you. You'll see that public is in your .gitignore since gatsby will be generating all those files for you automatically.

If you run gatsby serve, you can see your built project - which should look identical to your project served by doing gatsby develop

Review

At this point, you have a node project on your computer. You can develop locally and make changes to your website. And you have a way of creating a "built" version of your website that you can then put on whatever host you want.

I was running a wordpress blog with Bluehost where I shared things that I learned during my college CS classes. As I started learning how to write and serve java + ruby projects, I wanted to make them public, but couldn't run them off my laptop which was my one and only machine. I was also getting limited by what I could do via Bluehost - either the plan I was on didn't give me direct SSH access, or I didn't know what SSH was at the time and I was used to admin'ing with cPanel and couldn't think of how you install ruby via cPanel.

I deployed my next few apps via Heroku, CenturyLink (fka AppFog), and AWS. They get more expensive as the tech gets more and more sophisticated, but the apps I was writing also needed databases and both Heroku + CenturyLink made it easy to link a database to your application. It seemed like a worthwhile expense and I focused on learning those in order to get my applications deployed.

If you want to keep costs low, DigitalOcean and other VPS hosts like Bluehost can give you a server with a public IP address for ~5/mo. Server costs would run you ~60/yr, not a bad investment for learning. You can always run a server out of your home (like a Mac Mini running in your living room). Although it can be a very good lesson in how to set up your network so that requests to your IP can arrive at your home server, you also expose your personal home network to potential hackers - FYI. Once you want to have multiple applications running at once, then it'll be worth it to learn about other hosting providers like AWS and GCP, along with a bit of a bigger sticker price for more reliable infrastructure.

I currently work as an engineering manager at an ed-tech company focused on helping our teams ship their applications (APIs, websites) quickly and safely. Our DevOps engineers are responsible for building the tools that teams use to deploy and operate their apps in production hosted on AWS. Our team recently hired 2 junior devops engineers and a few interns so I wanted to share a few things that made some candidates stand out over others.

*Your mileage may vary, and different people and companies may have different expectations around a junior devops engineer based on how they've implemented their role. Here's one more data point.

1. You've deployed a website or one of your own projects, and can talk about it

Examples: You've built an Android app, a website using ruby on rails, express for node, flask for python, react for the front-end, an npm package. It's incredibly helpful for you to have experienced more than one.

You've got some projects under your belt whether they're tinkering on your own, part of your grad course, or at your current job. Building and hosting a blog counts, but I'd expect to see one or two other projects that aren't a blog. I also expect you to be to talk at length about it - please tell me about that HTTP 500 error you spent 4 hours chasing down. I honestly love hearing a good memory leak story.

The main thing I'm looking for in this respect is that you've gone through the full lifecycle of building a package, testing to make sure it works, releasing it, and then monitoring it to see if did what you expected. Always be shipping!

2. You know what its like to work as part of a team and what its like to interface between different people/teams to get something done.

This one isn't quite so specific to DevOps but I think becomes a bit more important. You've worked in teams and people like to work with you and you like to work with people. There's no room for egos or jerks, and it might be hard to judge in an interview (there's even a Quora thread specifically around weeding out jerks). I mainly want to see that you've been able to deal with differing personalities on projects and how it may or may not have affected your success.

One helpful characteristic that I've seen from non-jerks is the willingness to teach and help someone else through their problem. For example, one engineer worked as a CS tutor and then put together a Slack channel where students could help each other on some school projects. Another engineer started working with another employee in the company guiding them through building features to automate some painful aspects of their job.

3. You've worked on multiple different projects and not the same project multiple times

Over the span of a few resumes, there were a handful of candidates that stuck out - for the wrong reasons.

• I had asked one engineer why he chose Jenkins for a particular solution and they responded by saying it was the only system he knew. I expect you to know of a few alternatives to your favorite tools and when you would recommend one over the other. If you're a fan of Jenkins, I'd expect you to know when to recommend Jenkins over Travis/CircleCI/Insert-CI-Tool-Here.
• Another trend was that of an engineer (not a contractor) working on a team that worked on deployment pipelines using the same tools in 6-month to 1-year stints at multiple companies. If all you have is a hammer, everything looks like a nail. After the 3rd instance of it on a resume, I wonder whether they're really good at using the hammer, or if everything just looks like a nail.

I'd expect a good candidate to have a curious mind and work on different types of projects over time. Maybe you like doing some Unity game development in your spare time, or you've been dabbling in data analytics or machine learning projects. Some candidates even have a handful of robotics projects. Not all our projects see life in production, but we still learned a good deal while figuring that out. In a DevOps role, you'll see applications of different shapes, sizes, and color so its helpful to have seen some of that variety on your own before you see it at a new job.

4. You've used AWS (or other cloud provider at least) in some capacity for your projects

You've played around with some of what AWS has had to offer. You may have set up a website using S3, you've managed to get an application running on Elastic Beanstalk, or a nodejs backend hosted on EC2. For me, I had started learning with EC2 and Chef (if I would do it over again, I would start with S3). If you haven't and all you've used is a hosted VPS, try migrating it to AWS - its a great place to start. A few candidates had built pet projects using S3 + RDS - that's great to see.

If you've got some of these characteristics, you're in great shape - stop thinking twice about applying for that job and take it. If you feel you're a little short, you've got some direction with where to focus whether its building an app and deploying it to AWS S3, working on a different type of project like chef cookbooks, or working with other people on your projects. Agree or disagree? How do you know if you've got enough experience to get into a DevOps gig? Let me know in the comments.

Setting up browser tests

We can use nightwatch js to set up some happy path tests for your blog. I've used this getting started guide to get up and running quickly with nightwatch.

npm install --save-dev nightwatch selenium-server chromedriver

Create a nightwatch.conf.js and save it in the project folder

const seleniumServer = require("selenium-server");
const chromedriver = require("chromedriver");
const SCREENSHOT_PATH = "./screenshots/";

// we use a nightwatch.conf.js file so we can include comments and helper functions
module.exports = {
"src_folders": [
"test/"// Where you are storing your Nightwatch e2e tests
],
"output_folder": "./reports", // reports (test outcome) output by nightwatch
"selenium": {
"start_process": true, // tells nightwatch to start/stop the selenium process
"server_path": seleniumServer.path,
"host": "127.0.0.1",
"port": 4444, // standard selenium port
"cli_args": {
"webdriver.chrome.driver" : chromedriver.path
}
},
"test_settings": {
"default": {
"screenshots": {
"enabled": true, // if you want to keep screenshots
"path": SCREENSHOT_PATH // save screenshots here
},
"globals": {
"waitForConditionTimeout": 5000 // sometimes internet is slow so wait.
},
"desiredCapabilities": { // use Chrome as the default browser for tests
"browserName": "chrome"
}
},
"chrome": {
"desiredCapabilities": {
"browserName": "chrome",
"javascriptEnabled": true // turn off to test progressive enhancement
}
}
}
}

function padLeft (count) { // theregister.co.uk/2016/03/23/npm_left_pad_chaos/
return count < 10 ? '0' + count : count.toString();
}

var FILECOUNT = 0; // "global" screenshot file count
/**
* The default is to save screenshots to the root of your project even though
* there is a screenshots path in the config object above! ... so we need a
* function that returns the correct path for storing our screenshots.
* While we're at it, we are adding some meta-data to the filename, specifically
* the Platform/Browser where the test was run and the test (file) name.
*/
function imgpath (browser) {
var a = browser.options.desiredCapabilities;
var meta = [a.platform];
meta.push(a.browserName ? a.browserName : 'any');
meta.push(a.version ? a.version : 'any');
meta.push(a.name); // this is the test filename so always exists.
var metadata = meta.join('~').toLowerCase().replace(/ /g, '');
return SCREENSHOT_PATH + metadata + '_' + padLeft(FILECOUNT++) + '_';
}

module.exports.imgpath = imgpath;
module.exports.SCREENSHOT_PATH = SCREENSHOT_PATH;

Then run node nightwatch.conf.js to get selenium-server installed on your machine so that nightwatch can interact with the browser

Add test/happy-path.js to write our test

var config = require('../nightwatch.conf.js');

module.exports = {
'Danny Perez Blog test': function(browser) {
browser
.url('http://localhost:9000/')
.waitForElementVisible('body')
.assert.containsText('body', 'Gatsby Default Starter')
.end();
}
};

Before we start running our tests, we must first get it running. We can do this by doing gatsby build && gatsby serve & to put the process in the background.

Once the site is up, we can run nightwatch which will run the tests you have in your test/ folder.

Set up automated scripts to repeat the whole process

To recap what we did earlier,

• in order for us to be able to view our site, we first need to gatsby build the site, which will store everything in public/.
• running gatsby serve will serve the content you currently have in the public/ folder
• running nightwatch will then run the tests you've defined in test/

Best practice is to run these scripts with npm. Add these scripts to your package.json

...
"scripts": {
"build": "gatsby build",
"serve": "gatsby serve",
"develop": "gatsby develop",
"format": "prettier --write 'src/**/*.js'",
"test": "nightwatch"
},

so now, you can do npm run-scripts build && npm run-scripts serve & and then npm run-scripts test and you're good to go as far as developing and testing your new application.

At a high level, this means being able to provide:

• a CI workflow
• knowledge of release workflows
• an automated delivery workflow of multiple services to multiple test environments
• production monitoring & alerting

A senior engineer should know how to provide these basic resources to the engineering team in a way that allow for quick release cycles. They might have a specialty in one of these areas, but know enough to provide a decent foundation across all of these areas. Let's see what this means in practice.

Setup and support a CI system/workflow to support many services spanning multiple engineering teams.

This is like basic need number one of any developer or dev team. These questions should have decent answers:

• How/Where should I run my browser tests?
• How/Where do I test my configuration/infrastructure-as-code?
• How do I get more nodes to run more tests?
• Can your teams build out their pipelines as they want?
• Are they able to deploy to production on their own?
• How do I deploy?

For example - a team of 20 engineers are building an android app - maybe you set up AWS Device Farm, Code Build, and CodePipeline and provide terraform/cloudformation modules and best practices to get your teams onboarded quickly. They should be able to view logs, retry builds, see screenshots of their tests to name a few. If you're a small team with just a few services, TravisCI/CircleCI might be good enough. If you're a bigger team, you might opt to use Gitlab. If you have very specific testing requirements, you might need to lean on Jenkins.

Some practices scale better than others, and a lot of it has to do with some of your organization culture. I've seen dozens of teams each managing their own Jenkins instance, as well as a dozen teams depending on a centrally managed Jenkins instance. In one context it works great, while at another, it might be a nightmare in practice.

Have seen multiple release workflows

As the number of sites/services that your team creates increases, you need to have a method to the madness to get things shipped out quickly to customers and also keep all your internal stakeholders updated as you ship out changes. I'd hope they've gotten to see a good many of them and most importantly, I'd love for someone to be able to provide great feedback about a poor release workflow they've seen.

Some teams create interesting workflows to support it. Things like a release train for organizing releases across teams, or a continuous delivery environment where everything gets shipped after it goes through the pipeline. A senior engineer would be able to recommend and implement a proof-of-concept with other engineering teams outlining the release process. Will you be using an ITIL workflow

Set up automated deployments to different runtimes and environments

At the beginning, your teams might be focused on JS, but there will come a time where there's a solution that can only be built using a different language. Or a different framework. As your teams grow, your configuration management solution should scale to the needs of your teams. Are they able to deploy java apps as quickly/easily and nodejs apps? What if you need to introduce python/go into the mix, how much or how little of your pipeline needs to change?

You might set up a docker build/deploy workflow where teams can build/deploy whatever they want to their container to a mangaged k8 cluster, OR you might have a Chef/Ansible workflow where deployments are centrally executed from chef-server or Ansible tower. Maybe using scp to deploy to a remote server is really all you need.

Configure and scale a distributed monitoring platform for applications and infrastructure

When you deploy your application, you need to see whether or not it works as intended. Your teams should have all the tools available at their disposal - they should be able to view things like:

• CPU/memory metrics and plot it on a graph alongside other hosts
• centralized logs across all hosts

As you get more mature and your needs grow, you'll want to add more custom metrics to your application like application level details using tools like NewRelic APM and/or Datadog.

To start with, maybe using a SaaS tool like Papertrail or logz.io might be good enough. As your services grow and needs change, it might make sense to use a bigger provider like Splunk or Elastic. Or if your senior engineers have a specialty in this area, they can deploy an elasticsearch + kibana + logstash/fluentd architecture and link it automatically to all of your services.

Conclusion

There are other things that I'm paying attention to with senior engineers (especially with regards to things like security practices), but their experiences and solutions to these common basic problems is what I'm interested in the most. What I'm looking for is experience seeing different types of applications get deployed across a wide variety of teams with differing requirements and priorities. After you've seen a few, you're able to see processes that work and ones that don't.

How you release to production is a particular interest of mine, and there's always something to learn in what other companies do. What's the best/worst release process you've seen? Let me know in the comments.

1. Have a way of sharing credentials internally including non-technical users. Use something like LastPass Enterprise, 1Password Teams to share things like admin logins and billing credentials. These services also come with an extension for most browsers to auto-fill your passwords on all your sites and you can still share them with groups. Things like database credentials aren't a great fit here, and belong closer to the machines that need to read them where your engineers can interact with them.

2. Have a way of securely storing & sharing sensitive files including non-technical users. LastPass lets you save files, perfectly fine for things like zips containing SSL certificates and that kinda thing. It's not a good fit for sending things like sensitive PDFs. Google Drive/Dropbox work up to a certain extent, but lack good auditing features to know which files were shared with what users. Egnyte & Accellion offer paid services for this particular type of use case (and you'd probably have compliance/regulatory requirements) before you really need it.

3. Have a safe way of sending secrets to someone else (not to a group). Some of your users will likely be sending over slack and then deleting the message - this is a terrible solution - but I'm also guilty of it - its just too easy. onetimesecret.com is a useful site that lets you send secrets using a one-time use link (and they can have a passphrase, and expire too). Vault can do "response wrapping" which lets you share a secret without you ever seeing the secret - not very user-friendly, but more dev-friendly.

4. Have a way of storing machine-facing credentials somewhere thats not on your computer. This is where using tools like Vault or AWS Parameter Store make it super-easy if you're working in a cloud environment on a larger team. You can also go barebones and store them in git using git-crypt or using AWS KMS to encrypt secrets locally. You can always use Encrytped Data Bags from Chef, Ansible Vault, or Puppet hiera-eyaml if you're using one of those config management systems.

The last thing is figuring out a decent authorization scheme so that you know who has access to what. That largely depends on how well you can define "who", the different types of "access", and "what" are all the permutations of things people can have access to.

If you've tried using the Parameter Store console, you'll know that the experience isn't great. But the ease/security of using it outweighs a few of its nuisances. Here's how we've dealt with some of these annoying bits.

the ui isn't that great to use.

One really annoying bit is that I can't easily search for parameters across the whole Parameter Store. For example, I can't search for all parameters starting with "db_" i.e. *db_*

a useful workaround - do a quick search* of parameter store. this requires getting all the parameters - but lets you apply plain regex across available paths which you can't quite do in the UI. *It is a little bit slow but can get you a quick preview of the secrets you have available

> aws ssm describe-parameters \
  --output text \
  | egrep '^PARAMETERS' \
  | awk '{print $5}' \
  | egrep $REGEX
  
/dev/myApp/foo
/dev/myApp/bar
...

anyone know of a better way of doing this?

keep your db connection parameters together as unique entities.

use a convention like /$env/databases/$appDb/{host,user,password,port,dbname} which should include all the fields necessary to build out the ODBC connection string

This would let you control who has access to which sets of databases via IAM policies. You can also script it to automatically log you into a database without you needing to see the password.

here's an example of how you might do it in bash

dbInfo=$(aws ssm get-parameters \
  --names "/dev/dbs/$dbName/database" \
  "/dev/dbs/$dbName/host" \
  "/dev/dbs/$dbName/password" \
  "/dev/dbs/$dbName/port" \
  "/dev/dbs/$dbName/user" \
  "/dev/dbs/$dbName/scheme" \
  --region $REGION \
  --with-decryption \
  --query Parameters[*].Value \
  --output text | tr "\t" " ")

function set_parameters {
  database="$1"
  database_host="$2"
  database_pass="$3"
  database_port="$4"
  database_scheme="$5"
  database_user="$6"
}

set_parameters $dbInfo

if [ "$database_scheme" = "mysql" ];
then
  MYSQL_PWD=$database_pass mysql -h $database_host -P $listen_port -u $database_user $database_database
else
  PGPASSWORD=$database_pass psql -h $database_host -p $listen_port -U $database_user -d $database_database
fi

stick to the naming convention

This is the convention we've used for our parameters which has scaled ok. We've got 10-20 databases, ~50 services spanning 6+ environments organized with this structure.

/$environment_name/databases/$database_name/{host,port,pass,user}
                            /databags/$service_name/{all,my,server,creds}
                            /other_sensitive_info/{foo,bar,baz}

We borrowed databags from our days using chef cookbooks & encrypted databags. It basically just means that there's a bunch of parameters under keys belonging to a service.

This lets us scope access in a few different dimensions via IAM policies. We can say that a developer should have access to database secrets in a dev environment, but only service secret in prod.

{
    "Effect": "Allow",
    "Action": [
        "ssm:GetParameters"
    ],
    "Resource": [
        "arn:aws:ssm:us-east-2:123456123:parameter/dev/databases/*",
        "arn:aws:ssm:us-east-2:123456123:parameter/prod/databags/myService/*"
    ]
}

you can't stuff big items into parameters

We used to use the certificate cookbook to install certs on our hosts which required us to keep our certificates stored in this format

{
  "id": "mail",
  "cert": "-----BEGIN CERTIFICATE-----\nMail Certificate Here...",
  "key": "-----BEGIN PRIVATE KEY\nMail Private Key Here...",
  "chain": "-----BEGIN CERTIFICATE-----\nCA Root Chain Here..."
}

But you can't stuff this as json into a parameter due to the size limitations of 4096 characters

use labels/pointers to help you rotate passwords

password rotation is an inherently hard problem, but one strategy could be to use pointers (or what they now call labels) to secrets. for example, lets say you want to rotate an encryption key, but you have multiple services relying on it.

you could do something like

/dev/databags/my-service/current     = 2 (index of actual secret)
                        /1           = 'secret 2018'
                        /2           = 'secret 2019'

Your applications need to know to follow the pointer and read the intended secret. You'd typically do this by regenerating a config file and bouncing your service.

Fortunately, You can do this natively now on AWS with labels on parameters. Rotating passwords can also be done using Lambda and Secrets Manager - check out this walkthrough here

param store keeps versions of your parameters, but not if you delete them

The docs indicate that parameters are versioned, and they are versioned while they exist. So if you accidentally delete a parameter, the history is gone with it. The consensus seems to be that you should export your parameter store database to S3 or Dynamodb but I haven't come across tools in this space yet.

some related tools that support param-store

secretly for exporting secrets into your environment, written in python - https://github.com/energyhub/secretly parameter-store-exec - similar to secretly, written in go. for commands with access to secrets, written in go - https://github.com/cultureamp/parameter-store-exec confd for putting into config files - https://github.com/kelseyhightower/confd as part of a consul-template - https://github.com/hellofresh/consul-template-plugin-ssm chamber for managing secrets including parameter store - https://github.com/segmentio/chamber

Hope these tips help, also interested to hear how other people have worked around param-store's nuisances and/or wrote cool integrations with it.

Below, we've got 10 frequently used SQL snippets for managing users.

1. add a user
2. reset a password
3. checking users privileges
4. revoking privileges
5. remove a user
6. expire passwords/temporary credentials
7. checking expiration time
8. granting read-only access
9. checking if a user exists
10. some debug information that might help

If you want to play around with these scripts with a development database, start them up using docker and connect to it:

in postgres:

# start postgres in docker
docker run --rm --name pgsql -e POSTGRES_PASSWORD=password -p 5555:5432 -d postgres
e0e76a6af8b1f83cf91295ae5430cbf2ecd95337977b53653f312024d8aab3ad

# connect to postgres
psql -h 127.0.0.1 -p 5555 -U postgres -d postgres

in mysql:

# start mysql in docker
docker run --rm --name mysql -p3307:3306 -e MYSQL_ROOT_PASSWORD=password -d mysql
# connect to mysql
mysql -h 127.0.0.1 -P 3307 -u root -p

1. add a user

in postgres:

CREATE USER '${user}' WITH PASSWORD '${password}';
GRANT ALL ON DATABASE '${db}' TO '${user}'; -- grants read/write to everything in this database instance
-- OR
GRANT CONNECT ON DATABASE '${db}' to '${user}'; -- only allows the user to connect, but nothing more.

* https://www.postgresql.org/docs/8.0/static/sql-createuser.html

in mysql:

CREATE USER '${user}' IDENTIFIED BY '${password}';
GRANT ALL PRIVILEGES ON ${db}.* TO '${user}';

* https://dev.mysql.com/doc/refman/8.0/en/adding-users.html

2. reset a password

in postgres:

ALTER ROLE '${user}' WITH PASSWORD '${pw}';

* https://www.postgresql.org/docs/8.0/static/sql-alteruser.html

in mysql:

ALTER USER '${user}' IDENTIFIED BY '${pw}'

*heres 2 more ways of doing this: https://www.geeksforgeeks.org/mysql-change-user-password/

3. checking a users privileges

in postgres:

This will list all the databases and show you all the roles that have access to it.

postgres=# \l
                                 List of databases
   Name    |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges
-----------+----------+----------+------------+------------+-----------------------
 postgres  | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
 template0 | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
           |          |          |            |            | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
           |          |          |            |            | postgres=CTc/postgres

This will show all the role names and the other roles they include.

postgres=# \du
                                   List of roles
 Role name |                         Attributes                         | Member of
-----------+------------------------------------------------------------+-----------
 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

This will show all the tables that a user has access to

postgres=# \z
                                 Access privileges
 Schema |  Name  | Type  |     Access privileges     | Column privileges | Policies
--------+--------+-------+---------------------------+-------------------+----------
 public | foobar | table | postgres=arwdDxt/postgres+|                   |
        |        |       | dperez=r/postgres         |                   |
 public | test   | table | postgres=arwdDxt/postgres+|                   |
        |        |       | dperez=r/postgres         |                   |
(2 rows)
 ...

See the postgres docs on grants to decipher that description

in mysql:

mysql> SHOW GRANTS FOR '${user}';
+---------------------------------------------------------------------+
| Grants for root@localhost                                           |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO '${user}'@'localhost' WITH GRANT OPTION |
+---------------------------------------------------------------------+

4. revoke privileges

in postgres:

REVOKE ALL PRIVILEGES ON DATABASE '${db}' from '${user}';

* https://www.postgresql.org/docs/9.1/static/sql-revoke.html

in mysql:

REVOKE ALL PRIVILEGES ON '${db}.*' FROM '${user}';

*https://dev.mysql.com/doc/refman/8.0/en/revoke.html

5. remove a user

in postgres:

DROP ROLE IF EXISTS '${user}';

You might see an error message like: ERROR: role "testuser" cannot be dropped because some objects depend on it DETAIL: $somethingUseful this means that your user has dependencies with other objects - things like privileges and other tables. In this case, you'd need to run:

REVOKE ALL PRIVILEGES ON DATABASE '${db}' from '${user}';
DROP ROLE IF EXISTS '${user}';

If this fails, then try

DROP OWNED BY '${user}';
DROP ROLE IF EXISTS '${user}'

* https://stackoverflow.com/questions/3023583/postgresql-how-to-quickly-drop-a-user-with-existing-privileges

The irony here is that you would typically use DROP ROLE IF EXISTS so that a script would not error out if the role did not exist. However, when the role does NOT exist, you get back a successful response. When the role DOES exist, it will likely have privileges and require you to run REVOKE ALL PRIVILEGES - and unfortunately you cannot do REVOKE ALL ... IF EXISTS. It kind of renders the whole DROP ROLE IF EXISTS convenience statement useless.

in mysql:

DROP USER IF EXISTS '${user}';

Thank you for being so straightforward about it, mysql.

6. expire a password / temporary credentials

in postgres:

ALTER ROLE '${user}' WITH PASSWORD '${password}' VALID UNTIL '${expiration_timestamp}';

Here, expiration_timestamp has the format Nov 3 12:00:00 2018 +1 and means the time at which the password will no longer work. *https://www.postgresql.org/docs/9.2/static/sql-alterrole.html

in mysql:

ALTER USER '${user}' PASSWORD EXPIRE INTERVAL 1 DAY;

The statement seems to only allow DAY as the interval unit. So INTERVAL 90 DAY would be correct (note: no plural s in day).

7. how to check expiration time of password

Once you set a password expiration time, it would be useful to see what that time is.

in postgres:

SELECT valuntil AS valid_until FROM pg_user WHERE usename = '${user}';

in mysql:

SELECT DATE_ADD(password_last_changed, interval password_lifetime day) AS valid_until FROM mysql.user WHERE user = '${user}';

8. granting read-only access

in postgres:

GRANT USAGE ON SCHEMA public TO '${user}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO '${user}';

* related thread about what grant all privileges on database actually does You might find later on that if you add a table, this read-only user does not have access to read that table. In which case, run the following to make sure that you by default get privileges on tables:

ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO '${user}';

* more info here - https://stackoverflow.com/questions/760210/how-do-you-create-a-read-only-user-in-postgresql

in mysql:

GRANT SELECT ON '${db}'.* TO '${user}';

9. check if a user exists

in postgres:

SELECT 1 FROM pg_roles WHERE rolname='${user}';

in mysql:

SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '${user}');

10. get some debug info about your current user

in postgres:

postgres=# \conninfo
You are connected to database "postgres" as user "postgres" on host "127.0.0.1" at port "5555".
postgres=# SELECT CURRENT_USER;
 current_user
--------------
 postgres
(1 row)

postgres=# SELECT CURRENT_USER(); -- you can't use it as a function
ERROR:  syntax error at or near "("
LINE 1: SELECT CURRENT_USER();

in mysql:

mysql> select CURRENT_USER();
mysql> select CURRENT_USER; -- both this and the above function return the same result
+----------------+
| current_user() |
+----------------+
| dperez@%       |
+----------------+
mysql> status
--------------
mysql  Ver 14.14 Distrib 5.7.22-22, for osx10.11 (x86_64) using  EditLine wrapper

Connection id:    683
Current database: dpereztest
Current user:   dperez@10.162.9.100
SSL:      Cipher in use is DHE-RSA-AES128-SHA
Current pager:    less
Using outfile:    ''
Using delimiter:  ;
Server version:   8.0.11 Source distribution
Protocol version: 10
Connection:   127.0.0.1 via TCP/IP
Server characterset:  utf8mb4
Db     characterset:  utf8mb4
Client characterset:  utf8
Conn.  characterset:  utf8
TCP port:   5555
Uptime:     2 days 7 hours 55 min 53 sec

Threads: 3  Questions: 107602  Slow queries: 0  Opens: 285  Flush tables: 2  Open tables: 259  Queries per second avg: 0.534
--------------

I hope this helps as a useful guide the next time you need to manage users on a postgres or mysql database. There's dozens of more things you can do to customize your users and their access levels, but this guide should serve as a starting off point with links to the docs to help you do what you're trying to do.

If you're managing users and credentials across multiple teams, you might want to check out:

• things to be aware of when managing passwords among bigger teams.
• a recent experience storing secrets in AWS Parameter Store

Each day this week, I'll be posting one thing I've learned while getting started with webdriverIO. Here's the tip for today

Using $$.selector vs browser.elements(selector)

One of the first use cases I tackled in my test was finding all elements with a particular CSS class and then doing something to them. The docs seem to indicate that browser.$$(selector) is a shorthand for browser.elements(selector) and they seem to be synonymous except for a small difference:

$$(selector) will return items that you can take an action like .click() on .elements(selector) returns a WebElement JSON object (see more info about it on the github issue) - but its basically a JSON object that contains an ID (looks like a decimal number).

If you try to click on the first element in a group using something like browser.elements(selector)[0].click(), you might get an error like Can't call click on undefined because it does not return an array, but an object containing a key called value which has Ids for those elements.

Here's an example of the value of $$(selector)

> browser.$$(".link-gray-dark")
[ { ELEMENT: '0.15821111822631395-1',
    'element-6066-11e4-a52e-4f735466cecf': '0.15821111822631395-1',
    value: { ELEMENT: '0.15821111822631395-1' },
    selector: '.link-gray-dark',
    index: 0 },
  { ELEMENT: '0.15821111822631395-2',
    'element-6066-11e4-a52e-4f735466cecf': '0.15821111822631395-2',
    value: { ELEMENT: '0.15821111822631395-2' },
    selector: '.link-gray-dark',
    index: 1 },
    ....

and now compare that to browser.elements(selector)

> browser.elements(".link-gray-dark")
{ sessionId: '651d1e513eb87326a67969d65bbd597c',
  value:
   [ { ELEMENT: '0.15821111822631395-1',
       'element-6066-11e4-a52e-4f735466cecf': '0.15821111822631395-1',
       selector: '.link-gray-dark',
       value: [Object],
       index: 0 },
     { ELEMENT: '0.15821111822631395-2',
       'element-6066-11e4-a52e-4f735466cecf': '0.15821111822631395-2',
       selector: '.link-gray-dark',
       value: [Object],
       index: 1 },

For the most part, I can do everything I want to do with $$(selector) since I'll usually try to find a group of elements and either click on them or input text on some of them.

One reason you might want to use browser.elements(selector) instead would be if you needed to use one of the webdriver Protocol methods like elementIdClick(id) or elementIdName(id), and elementIdScreenshot(id) (which will take a screenshot of ONLY the element you want and not the whole page, neat!). Webdriver gives you a nice API so that you generally don't need to use these methods, but there are some nice features there if you do need to use them.

Recap

Prefer to use $$(selector) since it should be enough for the majority of your use cases.

If you need access to some of the elementId* methods like elementIdClick(id) that show up under the Protocol section in the docs, then use browser.elements(selector).

EDIT 10/2019 - I've published a new video to my Youtube Channel where I debug a test and show you how browser.debug() alongside the VS Code Debugger. Check it out!

https://youtu.be/wvvIz60DNp4

timeouts

Lets go over a simple use case. Going to a website and dropping you into the webdriverIO REPL:

describe('a test', function() {
  it('runs', function() {
    browser.url('https://msn.com');
    browser.debug();
    expect(true).toBeTruthy();
  });
});

Running this test does exactly what I want. It drops me into the webdriverIO REPL so that I can start interacting with the page. I'm still in the middle of the test and the expectation hasn't run yet:

[16:58:20]  DEBUG	Queue has stopped!
[16:58:20]  DEBUG	You can now go into the browser or use the command line as REPL
[16:58:20]  DEBUG	(To exit, press ^C again or type .exit)

>

The first time you run this, you'll be disappointed to see feedback about a failing test due to a timeout. Something like

> F

0 passing (15.80s)
1 failing

1) a testsuite1 runs:
Error: Timeout - Async callback was not invoked within 10000ms (set by jasmine.DEFAULT_TIMEOUT_INTERVAL)
running firefox
Error: Timeout - Async callback was not invoked within 10000ms (set by jasmine.DEFAULT_TIMEOUT_INTERVAL)
    at <Jasmine>
    at ontimeout (timers.js:498:11)
    at tryOnTimeout (timers.js:323:5)
    at Timer.listOnTimeout (timers.js:290:5)

What just happened? Your test has a default timeout of 10 seconds as defined by Jasmine. Because we're in the middle of the test, Jasmine is still keeping track of the test execution time and will kill your test because it looks like its hanging. Normally, this is what you want because if you're waiting for a selector to appear on the page, and you're on the wrong page, you want the test to fail when it can't find it in time. In this situation where I want to debug my test, its annoying because I need to change this whenever I want to use browser.debug().

You can change this in your wdio.conf.js file by changing the jasmineNodeOpts

// Options to be passed to Jasmine.
jasmineNodeOpts: {
    //
    // Change this to something really large...
    // but not too large
    defaultTimeoutInterval: 10000,

losing context

When you drop into the REPL, you lose a little bit of context. For example, with a test like this:

describe('a test', function() {
  it('runs', function() {
    browser.url('https://msn.com');
    var foo = "Bar";
    browser.debug();

    expect(true).toBeTruthy();
  });
});

Once you're in the REPL, you won't be able to see the value of foo.

[17:38:54]  DEBUG	Queue has stopped!
[17:38:54]  DEBUG	You can now go into the browser or use the command line as REPL
[17:38:54]  DEBUG	(To exit, press ^C again or type .exit)

> foo
evalmachine.<anonymous>:1
foo
^

ReferenceError: foo is not defined
    at evalmachine.<anonymous>:1:1
    at ContextifyScript.Script.runInThisContext (vm.js:50:33)

So the REPL is useful for being able to interact with the browser object while in the middle of your test, but not useful for inspecting your current context and the values of your variables. For that, we'd probably need to lean on the native node debugger, or as always..., some console.logs. You can however use it as a typical node REPL and set variables and print things to the console.

Recap

When using browser.debug() to use the webdriverIO REPL, there are 2 things you need to keep in mind

• your test framework (in this case Jasmine) has a global default timeout which will prevent you from using the REPL productively so remember to change it to a big number when you're trying to debug
• you'll lose context so you won't be able to see the values of existing variables.

Last week, I started working on integrating a test suite previously built using Nightwatch, and making it work with webdriverIO. While I love all of webdriverIO’s features like synchronous code when using their test runner and a REPL, there were a few things that I’d like to share which were a little hard to find in the docs or on a quick search.

In case you missed it... Each day this week, I've been posting one thing I've learned while setting up webdriverIO. Check out my previous posts here:

• Using $$.(selector) vs browser.elements(selector)

The easiest way should be to:

// get some of the headers on wikipedia.org
> browser.getText("#mp-topbanner > ul > li")
[ 'Arts',
  'Biography',
  'Geography',
  'History',
  'Mathematics',
  'Science',
  'Society',
  'Technology',
  'All portals' ]

One exception that I seem to get intermittently with browser.getText(selector) (and also with waitForVisible) is the damn Invalid Argument error. Here's an example of the issue

> browser.url('http://webdriver.io')
> browser.getText('nav > ul > li')
[ 'I/O',
  'Home',
  'Developer Guide',
  'API',
  'Contribute',
  '',
  'API Version',
  '' ]
> browser.getText('nav > ul > li')
/Users/dperez/Documents/projects/tchdp/wdio-tips/node_modules/wdio-sync/build/index.js:357
            throw e;
            ^

Error: java.net.SocketException: Invalid argument
    at new RuntimeError (node_modules/webdriverio/build/lib/utils/ErrorHandler.js:143:12)
    at Request._callback (node_modules/webdriverio/build/lib/utils/RequestHandler.js:316:39)
    at Request.self.callback (node_modules/webdriverio/node_modules/request/request.js:185:22)
java.net.SocketException: Invalid argument
[chrome desktop #0-0] Error: An unknown server-side error occurred while processing the command.

The first call to getText succeeded, and the second call which ran immediately after, ran into an error. I believe the error message is coming from Selenium server, and it sends back a very helpful message about invalid arguments. It tends to happen when your selector returns too many elements. In the above example, the selectors were returning 8/9 elements. I've also seen it crap out even with 3 elements, so there's something else going on there.

Here's a workaround. Query for the elements and loop over them manually. I've found this to be a lot less flaky:

> $$("#mp-topbanner > ul > li").map(function(element){
    return element.getAttribute('innerText')
})
[ 'Arts',
  'Biography',
  'Geography',
  'History',
  'Mathematics',
  'Science',
  'Society',
  'Technology',
  'All portals' ]

recap

Selenium can be flaky, and while webdriverio does a good job at making writing tests a lot easier, it does have to deal with the webdriver API at the end of the day. If you're seeing SocketException: Invalid argument, its best to skip the convenience of getText and loop over your elements.

Last week, I started working on integrating a test suite previously built using Nightwatch, and making it work with webdriverIO. While I love all of webdriverIO’s features like synchronous code when using their test runner and a REPL, there were a few things that I’d like to share which were a little hard to find in the docs or on a quick search.

In case you missed it... Each day this week, I've been posting one thing I've learned while setting up webdriverIO. Check out my previous posts here:

• Using $$.(selector) vs browser.elements(selector)
• Using browser.debug() to help debug your tests

In this example, I'd like to use waitUntil to check that multiple elements are visible

browser.waitUntil(function() {
  return doesNotExist.$$('#elem-1').isVisible()
    && browser.$$('#elem-2').isVisible()
})

Here's what I see when I run this inside a test:

☁  wdio-tips  wdio

F

0 passing (15.30s)
1 failing

1) a testsuite1 runs:
Failed: Promise was rejected with the following reason: doesNotExist is not defined
running firefox
error properties: Object({ details: undefined, type: 'WaitUntilTimeoutError', shotTaken: true })
Error: Promise was rejected with the following reason: doesNotExist is not defined
    at waitUntil(<Function>) - index.js:312:3

The key thing to notice here is the test time of 15.3 seconds before it gave up with an error. waitUntil runs your function on an interval (default 500ms) for a total 10s timeout period. So that means that the function has run 20 times during those 10 seconds, but you only see the error message at the very end once it times out.

The annoying part about this is the amount of time it takes to get the feedback, but once you see the error message, you can fix it and double check the rest of it for syntax errors so that you don't spend all your time waiting 10s for that feedback. I think this is just the catch with using browser.waitUntil using their synchronous API.

Last week, I started working on integrating a test suite previously built using Nightwatch, and making it work with webdriverIO. While I love all of webdriverIO’s features like synchronous code when using their test runner and a REPL, there were a few things that I’d like to share which were a little hard to find in the docs or on a quick search.

In case you missed it... Each day this week, I've been posting one thing I've learned while setting up webdriverIO. Check out my previous posts here:

• Using $$.(selector) vs browser.elements(selector)
• Using browser.debug() to help debug your tests
• Get text from a list of items

var runInBrowser = function(argument) { 
  argument.click();
};
var elementToClickOn = browser.$(selector)
> browser.execute(runInBrowser, elementToClickOn);

.execute to the rescue here. You can inject a snippet into the page, so as long as the browser can do it, you can get past the "Element is not clickable" error. This is a hack though and you should only use it sparingly when you need it, $(element).click() should still work the majority of the time. Check out this Stack Overflow discussion here if you're in this situation

Last week, I started working on integrating a test suite previously built using Nightwatch, and making it work with webdriverIO. While I love all of webdriverIO’s features like synchronous code when using their test runner and a REPL, there were a few things that I’d like to share which were a little hard to find in the docs or on a quick search.

In case you missed it... Each day this week, I've been posting one thing I've learned while setting up webdriverIO. Check out my previous posts here:

• Using $$.(selector) vs browser.elements(selector)
• Using browser.debug() to help debug your tests
• Get text from a list of items
• finding your errors when using waitUntil

1. #! the shebang line
2. usage docs
3. flags and options
4. error handling
5. dealing with output

This doc assumes you're using bash in an OSX/Linux environment.

1. the shebang line

You'll usually see a line at the top of shell scripts #!/bin/bash for example. This is called the shebang line - its a directive for the shell to run this file using the program at that path. For example, if this were a node.js script, I would have something like:

#!/usr/bin/node

console.log('hello world')

Since we want to run this script using bash, we'll set the shebang line to bash. You could do #!/bin/bash - but this will default to your user's system install of bash. You might try #!/usr/local/bin/bash if you have another version of bash at that directory. It's hard to account for where your current shell may be - in this case, you can simply ask the environment where it should be with env.

#!/usr/bin/env bash 
# will run the `bash` that is currently in your environment (i.e. in your $PATH). 

2. usage docs

One way a user might expect to see how to use the tool would be to just type the naked command, e.g. mytool. The following will print the usage docs for the tool if there are no arguments passed to the tool

function usage {
    echo "usage: `basename "$0"` /path/to/file"
    echo ''
    echo 'ex. mytool /tmp/foobar'
    echo ''
    echo 'Does something useful to the target file'
    echo ''
    echo 'Options:'
    echo '-h : show this doc
}

if [ "$#" -lt 1 ]; then
  usage
fi

2. options, flags, arguments, and env vars

Once you want to set a CLI flag or an option, move to getopts. The syntax can be a little confusing, but hopefully this breakdown makes sense.

• one limitation is that you can only set short flags like -x -V
• the definition of all the CLI flags happens in the parameter to getops: :ht:
• the first : which means that you disable the default error handling of getopts
• the second h which means that we have an option (-h) with no arguments
• the third part is the t: (a colon follows the flag name) which means that the option (-t) requires an argument

while getopts ":ht:" opt; do
  	case $opt in
    	h)
      	usage
     	 ;;
    	t)
      	type=$OPTARG
      	;;
    	\?)
      	echo 'Invalid option: -$OPTARG'
     	 ;;
  	esac
done
shift $(($OPTIND - 1))
remaining_args=$@

In this example, we have a CLI with -h -t as options with -t requiring an argument. The last two lines allow you to get the rest of the arguments provided to your script. They all wind up in the $@ variable.

If you ran mytool -t foo /path/to/file (with these options), you'd have the result:

type="foo"
remaining_args="/path/to/file"

If you want to check if a variable is already defined, and abort if not, you can use bash conditionals.

if [ -z "$SOMETHING_IMPORTANT" ]; then
  echo '$SOMETHING_IMPORTANT wasn't defined'
  usage
fi

There's a whole host of things you can check, -z is one of my more frequently used ones - see http://tldp.org/LDP/abs/html/comparison-ops.html

If you want to set default values for environment variables (and allow a user to override them if they want) - this will set USE_HEADLESS_CHROME to 0 if it was not defined already. USE_HEADLESS_CHROME=${USE_HEADLESS_CHROME:-0}

3. Dealing with output

Are you trying to run a long-running command, but you want to save the output for further debugging later and you also want to see it running? Enter tee! It lets you pipe your output to BOTH stdout & a file at the same time.

apt-get update -y | tee apt-get.log   # view and save the output
apt-get update -y > /dev/null 2>&1    # ignore all output
apt-get update -y 2>&1 > /dev/null    # Keep only stderr

See an interesting Stack Overflow discussion here about redirects in bash.

4. Error handling

The first time you run your script, you'll likely see that even though some commands are failing, the script continues. No, I did not want to create a file named 404 Not Found. /facepalm.

set -e will cause your shell script to abort when any command fails. Conversely, if you want to ignore any errors and have the script continue, use set +e (which is the default)

set -e
false
echo "You won't see this line"

Unfortunately, set -e won't work if you're using pipes and still want to abort the script whenever an error happens anywhere along the pipe. You'll have to use set -o pipefail to enable that behavior.

ps aux | grep java | awk '{print $2}' | tee pids.log # grepping for java fails, but the pipe continues

Sometimes, you might expect an error to happen and you want to do something about it. $? will contain the exit code of the last command executed. You can even assign it to a variable to use to exit later.

set +e                                  # so that errors do not cause the script to abort
apt-get install $somethingReallyNew     # I know this is going to fail
apt_exit_code=$?
if [ "$apt_exit_code" != 0 ];then  
    echo 'whoops, need to run apt-get update first'
    exit $apt_exit_code
fi

You can also include these options in your shebang line at the top of your script: #!/usr/bin/env bash -eo pipefail

Bash is pretty powerful for small scripts available on any linux machine like seeing running processes named 'foo' - ps | grep foo. I'd much prefer to use a higher-level language like node.js or ruby, but for small scripts that do one small thing - its hard to beat bash. Hopefully with these guidelines, you can get started immediately slapping together a quick and dirty tool in bash.

For more bash scripting resources, I've found these links particularly helpful:

• An interactive explainer of shell commands - https://explainshell.com
• Writing Safe Shell Scripts - https://sipb.mit.edu/doc/safe-shell/

1. Automated vulnerability scanners from all over the world
2. Crawlers
3. SQL Injection attempts

Scanners

You know what regularly shows up? Scanners. Lots and lots of open source scanners. IPs originating from all over the world China, Ukraine, Russia. Randomly throughout the week, we'll see scanner traffic. What does scanner traffic look like?

There's a few signs you can use to tell:

• You have slightly elevated error rates for a sustained period of ~30 minutes and suddenly dies off. A mix of 4xx's and 5xx's.
• It's requesting paths that don't exist in your application.
• Some scanners use a specific User-Agent header that identifies itself as a scanner

You might see requests like this...

x.x.x.x - - [07/Apr/2018:02:50:27 +0000] "GET /wp-json/oembed/1.0/embed?url=..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2FSystem32%2Fdrivers%2Fetc%2Fhosts%00&format=xml HTTP/1.0" 404 132 "http://www.zzzz.yyy/xxxx" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.6 Safari/534.57.2"

In there is an encoded URL: ../../../../../../../Windows/System32/drivers/etc/hosts&. This type of request looks mainly like a recon attempt to see if it can even get to files in that directory.

If you're running a wordpress site, always be prepared to receive a barrage of known exploits to your site. We're not even running a wordpress website and we get this type of thing in our access logs. Included there is a revslider_show_image vulnerability to steal wp-config file from 2014.

| count | uri |
|-------|-------------------------------------------------------------------------------|
| 12 | /wp-admin/admin-ajax.php |
| 6 | /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php |
| 6 | /wp-admin/tools.php?page=backup_manager&download_backup_file=../wp-config.php |
| 3 | /wp-admin/wp-login.php?action=register |
| 2 | /help/wp/wp-admin/setup-config.php |
| 1 | /help/new/wp-admin/setup-config.php |
| 1 | /help/wp-admin/setup-config.php |
| 1 | /wp-admin/js/password-strength-meter.min.js?ver=4.9.1 |
| 1 | /wp-admin/js/password-strength-meter.min.js?ver=4.9.2 |

Depending on how your application is hosted, you may even see increased latencies during a scan:

Crawlers

These are innocuous. Just Google and Bing indexing content. Typical internet being the internet. This particular crawler is nice enough to include a User Agent header that sends you to a site that says exactly what they do with all the data they collect. Check it out - http://www.exensa.com/crawl

x.x.x.x [30/Mar/2018:04:39:15 +0000] "GET /robots.txt HTTP/1.1" 404 136 "-" "Barkrowler/0.7 (+http://www.exensa.com/crawl)"

SQL injection attacks

You might see these recon attacks - you can take a known public URL and add a URL-encoded SELECT statement to see if anything funny comes out in the response. Like this:

x.x.x.x [11/Apr/2018:16:09:37 +0000] "GET /REDACTED&response_mode=%28SELECT%20%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28120%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%285423%3D5423%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28112%29%7C%7CCHR%2898%29%7C%7CCHR%28113%29%29%29&response_type=code&scope=openid HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.202.0 Safari/532.0"

There's a SQL injection string in there that is URL encoded. If you decode it, you get this

(SELECT (CHR(113)||CHR(107)||CHR(120)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (5423=5423) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(112)||CHR(98)||CHR(113)))

These are tests for injection. If the response contains something out of the ordinary, they know they can do it. Not entirely sure whats going on here though.

Defend against it

Here's a few things that you can use to keep most of these people away.

• Use security groups (in AWS) / iptables to limit inbound traffic only to the ports that you need. If only and 80/443 are open, you're primarily prone to web application attacks instead of SSH/FTP/DNS and the like. Here's an AWS Whitepaper on Security Best Practices

• Periodically review your logs to see what's going on. If you see SQL injection attempts, see which calls have returned a 200/500 - this means something potentially useful has made it to attacker.

• Outright reject anything thats not even remotely close to your applications URLs - For example, you'd want to block Windows paths when your application is hosted on Linux like paths containing System32, cmd.exe, C:\\ in your access logs.

• Run a scan against your application locally and be one step ahead of hackers. Know what you're exposed to first. Check out these open source scanners

• Many of these problems go away if you host your static website on AWS S3 - here's a guide I wrote if you're doing it for the first time

• if you're looking for an alternative to Wordpress? See this guide for building a blog with gatsby.js

The best I could do was do as the last person did which only gets you far enough to keep your head above water. I realized that the only way for me to get past this would be to hit the books, and learn all the management that I never learned in college. I read a lot that year. More than the past 3 years combined. The most helpful books I read all boiled down to 3 areas of the job that I (like many others) struggled with: dealing with team & individual performance, delegating, and making my team a great team to work on.

Dealing with performance

One thing I felt affected the team was an under-performing team member. Surely like many others, I hadn't ever seen an effective performance review myself, or seen how other leads dealt with performance on their team (Thats probably a good thing, but unhelpful for me). While I know at a high level what you're supposed to do, like talk about and deal with the problem, I struggled to actually do it - how could I, a new lead, give feedback to someone who was previously a peer on my team? It's definitely awkward the first few times! Fortunately, in this area, there are people much smarter than I who have shared their experiences in great deal to help you get past these types of problems.

• Radical Candor: Be a Kick-Ass Boss Without Losing Your Humanity by Kim Scott
  • If you want to focus on giving great feedback - this provides a pretty powerful mental model for giving and receiving feedback without feeling like an asshole. It's focused on being upfront with people, lest you be plotting against them or humiliating them.
• Leading Teams: 10 challenges and solutions by Mandy Flint, Elisabet Vinberg Hearn and Debugging Teams: Better Productivity through Collaboration by Brian W. Fitzpatrick, Ben Collins-Sussman
  • If you want to focus on getting yourself un-stuck from some problems on your team - these 2 books go in-depth on common issues that teams might have, and some step-by-step guidelines for how to deal with them.
  • This was an area I didn't feel comfortable asking any of the other managers about. We had many small teams, and we were all very friendly so it was hard to find people you can talk to. The next best thing was seeing what other more successful leaders had done in these scenarios.
• Manager Conversation with Low Performers at UMCB on Youtube
  • It's very rare you'll ever get to shadow someone else's performance review - they're private and personal by nature (or you're HR). If you've ever wondered what a "good" conversation about poor performance could look like, this video helped me a TON! There's some other related videos there that will show you what NOT to do, but it is great to see how you can quickly diffuse an awkward situation.

Lesson #1 summary: Be incredibly explicit about your expectations with their job so that they can never say, "How was I supposed to know?"

Delegating

Another awkward part about my job was telling people what to do - our team had a mission that we were mostly aligned on, but we don't always get to work on cool stuff and the work still has to get done on time. I had seen other people do it well, I had seen others do it poorly - but I wouldn't have been able to explain to you why. I felt awkward the first few times saying, "hey roger, can you take a look at this issue?" only to have that developer come back with something that I wasn't expecting (see Lesson #1).

When I was a fellow engineer on the team, I felt capable of working on bigger projects and making sure that we shipped the right things, but now, I was also accountable for all the projects the team was working on, not just mine. I had about twice as many things to do now, and the typical-engineer-turned-manager in a bout of frustration might ask, "When am i supposed to code if I'm stuck in meetings and dealing with people all the time?" It was difficult to juggle all the projects that I was now responsible for, as well as do the work on critical projects, and plan cross-team initiatives, and insert 20 more things here.

• How to Delegate (Essential Managers Series) by Robert Heller
• The Busy Manager's Guide to Delegation (Worksmart Series) by Richard Luecke, Perry McIntosh

To summarize these books: Be incredibly explicit about your expectations with projects/tasks so that they can never say, "How was I supposed to know?"

While these two books sound a little cheesy, they gave me a great framework and process for delegating. After reading them, I started blocking out time on my calendar for going through our projects and trying to match people's goals and motivations with the work we had to do. A bunch of us got AWS certificates, one engineer earned with a promotion, and an intern joined us full-time. And we built great stuff too.

Making a good team

One way to build a better team is to see more teams and how they operate, and use them as guiding examples for building your own teams. The catch is, barring you leaving your job and working elsewhere, you won't get to see that many teams and so you might not even know what your team would look like at its best! I absolutely loved reading these books because they provided case studies of real teams with real stories across some high-profile companies. Some people had really crappy times at their job, others didn't and they explain why in-depth.

These books are more focused on software engineering teams:

• Talking with Tech Leads: From Novices to Practitioners by Patrick Kua
  • Patrick Kua is a great speaker with some of his talks available on Youtube about technical leadership covering things like What I wish I knew as a first time Tech Lead and Geek's Guide to Leading Teams
• Building Software Teams: Ten Best Practices for Effective Software Development by Joost Visser, Sylvan Rigal, Gijs Wijnholds, Zeeger Lubsen

These books cover teams in general:

• Beautiful Teams: Inspiring and Cautionary Tales from Veteran Team Leaders by Andrew Stellman, Jennifer Greene
• Extreme Teams: Why Pixar, Netflix, Airbnb, and Other Cutting-Edge Companies Succeed Where Most Fail by Robert Bruce Shaw
• Scaling Teams: Strategies for Building Successful Teams and Organizations by David Loftesness, Alexander Grosse

To summarize these in one sentence: Be incredibly explicit about your expecatations with the team's culture so that they can never say, "How as I supposed to know?"

Wrapping up

I had a great time leading my team for over a year. While at times, it was incredibly daunting to think how I would get through a particularly problematic week, my team would stay on track and over time, we were able to move to more proactive work. There's many different areas in management where you could spend days and day learning, but if you do 1 thing and nothing else...

Tell your team to be incredibly explicit about their expectations from you as their lead so that you can never say, "How was I supposed to know?"

You have a web app and you're using jest for unit testing your components. You're checking out webdriverio to run your UI tests in javascript. Webdriverio comes with its own test runner if you want to use it. But you're already using jest in your codebase. Can you use jest to run your tests using webdriverio?

Short answer: yes. Long answer: maybe not? There's a lot of things that jest does well, but what you need out of unit tests is not the same thing you need out of UI tests. Here's a few reasons why jest is a little awkward for UI testing.

jest is really good at running your tests fast

jest can run all of your spec files in parallel, but you can't really customize it (see this github). Consider this example...

describe('user tests', () => {
  beforeAll(() => {
    browser.login(user)
  })

  test('user goes to home page', () => {
    expect(browser.getText(selector)).toEqual('home')
    // this needs to run before the next spec
    browser.navigateToPage('profile')
  })

  test('user goes to profile', () => {
    expect(browser.getText(selector)).toEqual('profile')
  })
})

In this example, we do more things while re-using (for better or for worse) the same browser session.

If tests need to run in order, you need to use --runInBand when running jest. Being able to run tests fast is part of the point with jest, but running tests sequentially means that you don't get some of those benefits.

Webdriverio strikes a good balance in running your tests in parallel. In your wdio.config.js, you can set the max_instances parameter to set a cap on how many tests you can run in parallel, i.e. if you set it to 2, only 2 tests will run in parallel at once.

jest manages globals well

It gets difficult to do things like setup a browser session before your tests start, and providing an active browser session among your tests. Jest has a hook called globalSetup where you can do some initialization work before your tests start running. However... there's a catch. See this example using global setup

// setup.js
var webdriverio = require('webdriver')

module.exports = async () => {
  // setup browser session
  global.browser = webdriverio.remote({
    desiredCapabilities: {
      browserName: 'chrome'
    }
  })
};

// spec.js

test('it fails', async () => { 
  browser.url('google.com') // browser is undefined
})

Any globals defined in globalSetup can only be accessed within globalTeardown. jest does a really great job at isolating context from different tests and making sure your tests don't rely on some globally set state.

Unfortunately it tends to get a bit in the way occasionally. In this case, the workaround is to create a new browser instance in each spec file that you need it which may or may not be a nuisance to add everywhere like in this example.

var browser = require('./webdriverio-wrapper') // all initialization is done here

describe('happy path test', () => {
  beforeEach(() => {
    browser.init() // here we create the browser session
  })
  afterEach(() => {
    browser.end()
  })
})

You lose synchronous calls to webdriver methods.

One of the nicest selling points for webdriverio is that you can make synchronous calls to browser*:

var text = browser.getText(selector)
expect(text).toEqual('hello world')

• there is some black magic going on to make this possible. Unfortunately, one of the drawbacks here is losing the context of your promise as described in this Github issue for wdio-sync

Instead of the promise/callback nightmare just to assert text on an element like you do with the base selenium-webdriver javascript bindings

test('check text', (done) => {
  webdriver.findElement(webdriver.By.css(selector)).then((element) {
    return element.getText()
  }).then((text) {
    expect(text).toEqual('hello world')
    done()
  })
})

In this example, we need to

1. Use 2 promises in order to get the text from an element
2. Since our assertion is inside a then block, we need to explicitly call done() when our test has finished.

Wrapping up

Jest does a lot of things well and is a go-to for unit testing. After trying to set it up with webdriverio and a legacy codebase, there were enough gotcha's with jest to warrant using webdriverio's built in test runner (which is jasmine and thats a great tool as well). UI tests may or may not do a good job of running parallel, and jest likes to run tests in parallel for speed. Your testing codebase might make use of globals, but the way jest manages your global context could make your tests a lot more verbose. But these are all things that make Jest great for unit tests. The biggest price to pay is losing out on synchronous calls to browser (can be done with async/await nowadays).

^ Update - check out my video walkthrough where I follow along with the post and show you how I set it up.

https://youtu.be/wvvIz60DNp4

^ EDIT 10/2019 – I’ve published a new video to my Youtube Channel where I debug a test and show you how to use browser.debug() alongside the VS Code Debugger. Check it out!

Am I using the correct selector? Which element is it actually clicking on? Debugging tests with webdriverio can get frustrating when you’re trying to figure out why your test is sometimes clicking the wrong elements or just plain not working. There’s 3 things that can help you drill down:

• adding many console.log statements to your test
• using a debugger to step through the test one line at a time
• using webdriverio’s browser.debug() to get an interactive js session with the browser
  • while this seems like the obvious choice, using browser.debug has its own limitations that I describe here

I searched and had found this post of getting webdriverio tests running inside of vscode to help me step through a test file line by line. That post is using an older version of node, and newer versions of node (v8.11.x+) throw an error like below:

node --debug=127.0.0.1:5859

(node:29011) [DEP0062] DeprecationWarning: `node --debug` and `node --debug-brk` are invalid. Please use `node --inspect` or `node --inspect-brk` instead.

There's 2 parts to get this to work with newer versions of node: VSCode configuration and webdriverio configuration

VSCode configuration

See here for creating a VSCode Launch Configuration. Adding this file will allow you to run the VSCode debugger and step your code line by line.

Heres a working .vscode/launch.json file that you can use and adapt to fit your needs

{
  "type": "node",
  "request": "launch",
  "name": "Run in debug",
  "port": 5859,
  "timeout": 60000,
  "runtimeExecutable": "${workspaceRoot}/node_modules/.bin/wdio",
  "cwd": "${workspaceRoot}",
  "console": "integratedTerminal",
  "args": [
      "--spec", "main.js"
  // "--spec main.js" will be passed to your executable as
  // "wdio '--spec main.js'" (which isn't what you want)
  ],
  "env": {
      "DEBUG": "1" 
      // use an environment variable to be able
      // to toggle debug mode on and off
  }

This configuration will run your runtimeExecutable and by defining the "port" variable, it will attempt a connection to port 5859. Once that connection is successfully made, you'll be able to set breakpoints and step through your test.

webdriverio configuration

On the webdriverio side, we need to tell it to listen for connections from a debugger on port 5859.

In your wdio.conf.js file:

exports.config = {
  debug: true,
  execArgv: ['--inspect-brk=127.0.0.1:5859],

  // other wdio configuration
  specs: ['some/specs/here'],
  suites: {
    ....
  }
  ....
}

This snippet will start webdriverio and start listening for connections from a debugger on 127.0.0.1:5859 (which you did in your VSCode configuration). The program will stop at this point to wait for a debugger to connect, and if nothing connects, the command will fail.

Once you run it successfully, you should see this type of output

/Users/dperez/workspace/wdio/node_modules/.bin/wdio "--spec" "main.js"

Debugger listening on ws://127.0.0.1:5859/9698ad4c-8d7d-447f-a259-1c566cd511d6
Debugger attached.

You'll see the program pause at this point until a connection is made. If you never see "Debugger attached", it means VSCode has not connected to your program, and so you can't set breakpoints and debug.

If you run this as part of your CI process (Gitlab/Jenkins), you can make debug mode configurable. You can use env vars in your .vscode/launch.json configuration.

...
"console": "integratedTerminal",
"env": {
  "DEBUG": 1
}

This will run your program with that env var set by using:

DEBUG=1 /Users/dperez/workspace/wdio/node_modules/.bin/wdio "--spec" "main.js"

Then in your wdio.conf.js file:

exports.config = {
  debug: process.env.DEBUG === '1',
  execArgv: process.env.DEBUG === '1' ? ['--inspect-brk=127.0.0.1:5859'] : []
  ...
  // remaining wdio options
  ...
}

This way, the program will only wait to attach to the debugger when you run it inside of VSCode (where the environment variable is set), and everywhere else it will run normally without it.

Wrapping up

Add these snippets to your configuration if you need to step through your program and watch how the program is executing. It sure beats writing tons of console.logs all over your code.

• Interested in using webdriverio's browser.debug() mode? check out my post on using wdio's debug mode to play with the browser.
• In case you’re here because you’re trying to solve the dreaded ‘element is not clickable at point’ error message, check out this post here

tl;dr Here's a snippet of wdio.conf.js showing our Chrome configuration. To see why some of these need to be included, read on.

// wdio.conf.js
...
browserName: 'chrome',
chromeOptions: {
  args: [
    '--disable-infobars',
    '--window-size=1280,800',
  ].concat((function() {
    return process.env.HEADLESS_CHROME === '1' ? [
      '--headless',
      '--no-sandbox',
      '--disable-gpu',
      '--disable-setuid-sandbox',
      '--disable-dev-shm-usage'] : [];
  })()),
...

--disable-dev-shm-usage

Add this flag if you're seeing the error (like this guy did) “Session deleted because of page crash from tab crash” in your logs when your tests fail (or a message along the lines of a page crash), or Chrome is unreachable.

Why do we need this?

There’s a tmp folder that Chrome uses related to its internal memory management that by default tries to use the /dev/shm directory. I don't quite understand the internals of Chrome, but here's some details about this from the puppeteer project. Anyway, Docker containers have a default size of 64MB for /dev/shm (cmd+f for --shm-size). Chrome quickly runs out of space in there and your page will then crash, taking your tests down with it. No bueno. There’s two solutions to this:

The easiest way to deal with this problem is to just not use it. There are some small cons, but a good rule of thumb is that unless you're trying to parallelize multiple concurrent Chrome sessions within one container, you're probably safe to disable it by adding --disable-dev-shm-usage to your Chrome options.

If you are though (like this engineer), then you'll need to increase the size of your /dev/shm. For Docker containers,

• there’s a flag for increasing the shared memory size --shm-size=1G that you can pass to your docker run command.
• you can also mount /dev/shm from your host machine to the docker container via -v /dev/shm:/dev/shm

--disable-setuid-sandbox --no-sandbox

If you see errors failing to connect to Chrome like this, you might need these flags. Chrome uses sandboxing in order to protect your machine from random content on the internet (see details here). If you’re running Chrome inside of a disposable container, then your container is already acting as a sandbox for Chrome, and so you don’t quite need chrome’s sandbox (your mileage may vary here depending on what you’re trying to do).

I typically see these two flags passed along together in various writeups online. This answer from the Chromium team suggests that --disable-setuid-sandbox was only used in older versions of chrome.

--disable-gpu

The official Puppeteer docs suggest that this flag is only needed on Windows. Various snippets online usually use --disable-gpu alongside --headless because an earlier version of headless chrome had bugs with it.

--disable-infobars

This flag can help a minor annoyance - if you take a screenshot of the browser in your tests, then you’ll see a bar at the top of your browser page saying that Chrome is being controlled by automated process. This also pushes elements farther down the page. Its usually fine, but if it gets in your way, then try using this option. This flag was at one point removed around Jan 2018, and then added back.

Wrapping up

Yes, Chrome can run headlessly and it can run inside of a container, and be stable (for the most part). You do however need the right concoction of parameters to get it working right, but hopefully this saves you a few hours of debugging random page crashes. Try out those Chrome options in your configuration (they will also work if you're using puppeteer or other selenium/chrome combo).

Running into different errors? See how to attach the VSCode debugger to step through your UI tests to help you narrow down the issue.

This is a solution proposed by an answer to this Github issue for webdriverio. Since so many things are pluggable in the framework, we can hook into the test reporter, find all the tests that failed, get their filenames, and then re-run webdriverio with those file names.

finding all the tests that failed:

you can get the right info by responding to the test:fail and end events.

You can collect all the test failed events....

this.on('test:fail', (data) => {
      this.failures.push(data);
    });

Then build a report at the end containing all the failed test files.

this.on('end', () => {
  console.log(this.failures);

});

When each test fails, you'll get a test result object that looks like this:

{ cid: '0-0',
  uid: 'test1spec0',
  event: 'test:fail',
  title: 'test1',
  pending: false,
  parent: 'testfile1',
  type: 'test',
  file: '',
  err: 
   { matcherName: '',
     message: 'Failed',
     stack: 'Error: Failed\n    at <Jasmine>\n    at UserContext.it (/path/to/testfile1.js:25:7)\n    at <Jasmine>',
     passed: false,
     expected: '',
     actual: '' },
  duration: 15294,
  runner: 
   { '0-0': 
      { maxInstances: 1,
        browserName: 'chrome',
        chromeOptions: [Object] } },
  specs: 
   [ '/path/to/testfile1.js' ],
  specHash: '3ad3fe8fe4af1ca17782a5b3fdc65e54' }

You can save it as JSON if you want to parse it with jq or another tool. You can also just grab the info you need, like all the file names with tests the failed:

// Save as JSON
let dir = path.resolve(this.outputDir);
let filepath = path.join(dir, 'failed-suite-reporter.json');
mkdirp.sync(dir);
fs.writeFileSync(filepath, JSON.stringify(this.failures));

// Save filenames
dir = path.resolve(this.outputDir);
filepath = path.join(dir, 'failed-specs-to-rerun.txt');
const specs = _.uniq(_.flatMap(this.failures, (f) => f.specs)).join(',');
fs.writeFileSync(filepath, specs);

That txt file will look like /path/to/testfile1.js,/path/to/testfile2.js for example.

Re-running failed tests

At this point, we have a listing of all the test files that had failed tests, and those results are saved to a file. Now we'll need a wrapper script that runs our wdio suite, and then re-runs it if it fails.

You can add a script to your repo, and link it to the npm test shortcut.

wdio --spec all_my_specs/**
test_exit_code=$?

if [[ $test_exit_code != 0 ]]; then
  failed_spec_files='./output/failed-specs-to-rerun.txt'
  wdio --spec $(cat $failed_spec_files);
  exit $?
fi

exit $test_exit_code

Something to be aware of:

If you're using another test reporter already that puts a bunch of files in an outputDir, such as the JUnit Reporter, re-running the tests will also overwrite the files from the first run.

That means, if you have 50 specs and 1 of them failed, and you re-run the 1 that failed, your JUnit report will only show the 1 test. Depending on how you use your test report, you might have to make a copy of the files in your outputDir before re-running the tests again.

tl;dr here's a snippet of what you need in a failed test suite reporter.

const events = require('events');
const path = require('path');
const fs = require('fs');
const mkdirp = require('mkdirp');
const _ = require('lodash');

// Pulled from this very helpful Github comment
// https://github.com/webdriverio/webdriverio/issues/2521#issuecomment-367190751
class FailedSuiteReporter extends events.EventEmitter {
  static get reporterName() {
    return 'FailedSuiteReporter';
  }

  constructor(baseReporter, config, options = {}) {
    super();
    this.failures = [];
    this.outputDir = options.outputDir || './output/';

    this.on('test:fail', (data) => {
      this.failures.push(data);
    });

    this.on('end', () => {
      const specs = _.uniq(_.flatMap(this.failures, (f) => f.specs)).join(',');

      let dir = path.resolve(this.outputDir);
      let filepath = path.join(dir, 'failed-suite-reporter.json');
      mkdirp.sync(dir);
      fs.writeFileSync(filepath, JSON.stringify(this.failures));

      dir = path.resolve(this.outputDir);
      filepath = path.join(dir, 'failed-specs-to-rerun.txt');

      fs.writeFileSync(filepath, specs);
      console.log('Wrote report to ', filepath);
    });
  }
}

/**
 * Expose Custom Reporter
 */
exports = module.exports = FailedSuiteReporter;

Wrapping up

There’s no support for re-running failed suites in webdriverio out of the box which can make re-running flaky test suites take a lot longer. However, using Custom Reporters, we can get the information we need in order to re-run tests on our own. You can grab that test reporter above and include it in your project to start re-running only the test suites that failed.

A few other helpful resources:

• Seeing errors with Chrome crashing randomly when running your tests in Docker? Check out this post to see how to configure Chrome for docker.

• Sometimes, you just need to step through your tests with a debugger. See here for how to connect it to VSCode

Gotten stuck in a rabbit hole figuring out how to add "Log In with Google" to your web app? In this series, I'll cover:

• why you might want to use the Sign-In for Website JS library, and getting started with it
• Adding the library via javascript
• adding it to an existing project (angular & react)

Their docs give you a decent place to start if you know what you're looking for, but there's a few areas where their docs and other guides online can be confusing. There's also minimal guidance as to how to use it within existing projects.

• Am I supposed to be following the Google Identity docs or do I need Google Sign-in for Web??
• Wait, why are those 2 guides so different? They even load different libraries!
• This should be simple! I'm just trying to load a users avatar!!

The answer to "How do I add Log in with Google?" boils down to 1 question you need to be able to answer: What exactly are you trying to do?

• Do you just want to be able to see the users name and picture, maybe their email? Use the Sign-In for Websites library (full walkthrough below).
• Do you have your own user database and want to offer Google login as an extra option? This is Federated Login and you'd want to use their OpenID Connect protocol. This is used by platforms like auth0, firebase, oneidentity.
• Do you want to be able to interact with the users Google account and do things like see their calendar, or create a Google doc? You'll need to use their OAuth workflow.

For the purposes of this series, I'm going to explore when you should use the Sign-In for Websites library which uses the OpenID Connect protocol (also used by Federated Login systems) - this library can be easily misunderstood, but is still incredibly useful. The goal of this authentication library is to let you identify a user with their Google account. Thats it.

So when should I use it?

Good reasons to use it:

• you have some content stored on a backend service that you deliver via an API only after the user has signed in
• you only have to support Google/G-Suite users
• you dont need to authorize users (e.g. allow some users to be admins)
• your site is public
• you have a single-page app

Use cases where it's worth considering federated login:

• you have pre-existing user content stored on a backend service
• you have an internal site that you want to restrict to users from a specific domain. (e.g. only users from @example.com should see it)
• you want to prevent people from seeing your page unless they've logged in. The best you can do with this library is show/hide elements on the page if the user logged in, but thats enough if you only load data from an API after a user has logged in.

The library is designed to be used with HTML/JS and only interacts with your page via the "Sign in with Google" button. You can integrate this with other frameworks like Angular/React which I'll be covering in the next part of this series.

Adding Google Sign-in step-by-step

1. Hello World HTML

To start with, all you need is an index.html file.

<!DOCTYPE html>
<html>

<head>
  <title>Google Auth Demo</title>
</head>
<body>
  <h1>Welcome to the Demo</h1>
</body>
</html>

2. Add the Google Sign-In Button

Before adding in the button, you first need to create a client ID/secret which is a way of identifying that you, the developer, are allowing users to get the identity information from Google and delivered to your website.

Creating credentials for Sign-In

• Go to the Google API Console - https://console.developers.google.com/apis/dashboard
• Create a new project, or use an existing project if you already have one set up.
• Then click on Credentials -> Create Credentials -> OAuth Client ID

Here's what I put in for this demo:

Name: google-auth-demo Authorized Javascript Origins: http://localhost:8080 Authorized Redirect URIs: empty

*A note about the Javascript origins: if you have a plain HTML file that you load in your browser using a file path like /home/dperez/index.html, this won't work. You'll need to "serve" your website on your computer so that you have a URL, even if its just localhost. You can use python -m SimpleHTTPServer 8080 (which is commonly available) to serve up your current directory or you can use an npm package like http-server.

You'll then get a Client ID & Client Secret. These are 2 identifiers for your Oauth Client. At this point, you have authorized that Client ID to accept logins and return you the users information. Copy them down. If you accidentally click out of the screen, you can always copy them again later.

Add the library + credentials + button to your HTML

In your index.html page, add the following to your HTML page:

...
<head>
  ...
  <meta name="google-signin-client_id" content="your-client-id-goes-here">
  <script src="https://apis.google.com/js/platform.js" async defer></script>
</head>
<body>
  <h1>Welcome to the Demo</h1>
  <div class="g-signin2"></div>
</body>

The script tag grabs the library from Google that reads your <meta> tag to use as the Client ID, and then automatically re-styles the button with the CSS class .g-signin2.

At this point, if you refresh your page, you should see a pretty Sign-In button. If you click it, you'll go through your Google Login flow in a popup, and you'll finally land back on your site, and the button will say, "Signed In".

Great, we're most of the way there! But in its current form, this is still useless.

3. Identify the user

1. Update the g-signin2 div to include the data-onsuccess attribute:

<div class="g-signin2" data-onsuccess="onSignIn"></div>

That attribute contains the name of the function that will be called once a user has successfully logged in with Google.

2. Create a function called "onSignIn".

<body>
  ...
  <script>
    function onSignIn(googleUser) {
      // get user profile information
      console.log(googleUser.getBasicProfile())
    }
  </script>
</body>

Your onSignIn function will be called with an argument containing the information provided by Google. If you refresh the page, you'll notice that

1. You're automatically signed in
2. The button gets updated very shortly after refresh (1s delay)

If you open up your javascript console, you'll see the users information printed:

{
  Eea: "108716981921401766503"
  Paa: "https://lh3.googleusercontent.com/-y_ba58pC4us/AAAAAAAAAAI/AAAAAAAAAYE/wMGKOxlWR90/s96-c/photo.jpg"
  U3: "perez.dp@gmail.com"
  ig: "danny perez"
  ofa: "danny"
  wea: "perez"
}

This is the basic profile containing a series of values that identify me as a user. Under any normal circumstances, this object would have fields like name or email, but for some unknown reason (I wish I had the answer but they havent given an answer either), its gibberish - but at least its consistent and hasn't changed.

You can either get the data directly by doing googleUser.getBasicProfile()['U3'] or use the more human-readable approach by using the functions like googleUser.getBasicProfile().getName() or googleUser.getBasicProfile().getEmail(). (See here for the javascript client api reference docs)

4. Sign out

Add a sign out button after the user has signed in by adding a button in your index.html and the click handler in your javascript.

index.html

<body>
...
  <button onclick="signOut()">Sign out</button>
</body>

function signOut() {
  gapi.auth2.getAuthInstance().signOut().then(function() {
    console.log('user signed out')
  })
}

Great! At this point, we've added a Sign-In with Google button and we can identify the user by name/email. Also, thats it. Thats all this library can help you do.

...but what about basic things like saving users data to the backend? or showing an admin page?! Why isn't this in the docs?! That'll be covered on the next post coming 7/22 - using the js library to add it to your site without HTML.

Update: Here's the link for part 2 of the series - Using the js library

In this part, we'll be going over how to use the gapi library to configure Sign-In and then actually sign-in the user, as well as a few snippets for handling some common user scenarios.

create your own sign in button

1. Load the api.js library instead of platform.js :shrug: (not sure why they're different)

Change https://apis.google.com/js/platform.js to https://apis.google.com/js/api.js?onload=onLibraryLoaded

Here, we configure our Sign-In client once the library has loaded using the ?onload=onLibraryLoaded callback that you can provide via the URL. api.js will add a global variable called gapi.

2. Add a button to your index.html with a button click handler

<button onclick="onSignInClicked()">Sign in with button onClick</button>

2. Add the following to your script tag in index.html to handle the button click

function onLibraryLoaded() {
    gapi.load('auth2', function() {
        gapi.auth2.init({
            client_id: 'YOUR_CLIENT_ID.apps.googleusercontent.com',
            scope: 'profile'
        })
    })
}

function onSignInClicked() {
    gapi.load('auth2', function() {
        gapi.auth2.signIn().then(function(googleUser) {
          console.log('user signed in')
        }, function(error) {
            console.log('user failed to sign in')
        })
    })
}

We can then access the gapi.auth2 library and initialize it using our client_id from the Developer Console.

how to handle some common user scenarios

• listening for when the user has signed in
• checking if the user is logged in
• getting the users info
• only allow users from a particular domain to log in
• only allow certain users to log in
• hide content until after a user logs in
• sending your ID token to a backend (if you have one)

using sign-in listeners

In the above example, we can only run some code after we initialize and sign in the user. But what if you have different parts of the page in different files, each showing something different depending on the user? (this might be the case if you're using components)

class UserAvatarComponent extends React.Component {
    ...
    componentDidMount() {
        gapi.load('auth2', function() {
            gapi.auth2.isSignedIn.listen(function(isSignedIn) {
                console.log('user signed in ', isSignedIn)
                this.setState({status: isSignedIn})
            })
        })
    }    
}

checking if the user is signed in

function isUserSignedIn() {
  gapi.load('auth2', function() {
      var isSignedIn = auth2.isSignedIn.get();
      console.log('is signed in? ', isSigned In)
  })
}

A few things to note about using this function:

• The Sign-In library will, by default, sign you in automatically if you've already signed in.
• If you refresh the page, even after the user has signed in, then on first laod, you'll get auth2.isSignedIn.get() === false
• After the user is signed in automatically (usually takes a sec), then auth2.isSignedIn.get() === true
• Depending on how you handle your login UI, your user might see that they are not logged in for a hot second. It's helpful to use the isSignedIn.listen() callback if you want to know the precise moment this happens.

getting the users info

function showCurrentUserInfo() {
  gapi.load('auth2', function() {
      var googleUser = auth2.currentUser.get()
      console.log('users info ', googleUser)
  })
}

only allowing users from a particular domain to login

This is a little bit of a hack and is probably easy to circumvent, but you can use the getHostedDomain() method to get the G-Suite domain the user comes from. If the user does not have a G-Suite domain, then it'll be blank.

function onSignIn(googleUser) {
    if(googleUser.getHostedDomain() !== 'mysite.com') {
        // show a Not Authorized message
    } else {
        // show the users dashboard
    }
}

only allowing certain users to login

This is even more of a hack, but seems to be the only you can do it from within javascript. You really shouldn't. Don't know why I'm including it. The brute method.

function onSignIn(googleUser) {
    var profile = googleUser.getBasicProfile()
    if(profile.getEmail() === 'admin@example.com' ||
       profile.getEmail() === 'client@example.com') {
           // show the user dashboard
    } else {
        // show a Not Authorized message
    }
}

hiding content until after the user logs in

This is also a hack. This is easy to workaround if you fidget with the CSS in your browser, but can work if it fits your use case. The reason this is a bad idea is that in a static website, all of the information thats available in your HTML is available to the user. DO NOT USE THIS if you have actual sensitive information to hide. It is a good candidate for showing your favorite cat pictures.

<body>
...
  <div id="greeting">
    You are not authorized to view this content
  </div>
  <div id="dashboard">
    ...
  </div>
  <script>
    // hide initially
    $('#dashboard').hide()
    
    function onSignIn(googleUser) {
      setTimeout(function() {
        // show the content
        $('#greeting').hide()
        $('#dashboard').show()
      }, 1000);
    }
  </script>
</body>

send the token to identify the user (not their ID)

If you're making a backend request, you'll want to send the users ID token to your backend as an Authorization header. On your backend, you'd then be able to validate and decode the ID token (see here for examples).

$.ajax({
  url: 'myapi/example',
  headers: {'Authorization': googleUser.getAuthResponse().id_token)},
})

Conclusion

In this post, we've seen how you can configure the Google Sign-In library via javascript, and use it to do things like get the users info and check if they're signed in (theres some nuances to be aware of with the login flow). For the last part of this series, we'll look at some examples of how you might use google sign-in in a React and Angular application. Check it out here

Demo code is available on Github intricatecloud/google-sign-in-demo. Replace YOUR_CLIENT_ID with your client ID, and you'll be able to see the sign in buttons in action.

In this next part of the series, I'll be walking you through an implementation of google sign-in with a simple react app and a bonus react-router example.

Up until now, we've seen 2 different hello world examples of how to add google sign-in on the front-end - using plain HTML and vanilla JS. It's been all nice and dandy for a hello world, but one thing thats been missing while I was figuring out google sign-in is what a working implementation looks like - especially in React.

*There is a react-google-login component that configures all of google sign-in behind a <GoogleLogin> tag. It's quite useful and I've used it in a few instances - my one complaint is that you can't get at the return value of the gapi.auth2.init() method. This post will show whats going on under the covers if you prefer not to use a library.

creating a new react app with google sign-in

First - create the app create-react-app google-auth-demo. The files we'll mainly be working with are App.js and index.html.

Add the google sign-in script tag to your public/index.html

<head>
  ...
  <script src="https://apis.google.com/js/api.js" async defer></script>
  ...
</head>

add the login button

In App.js - add some state to keep track of when the user has signed in

constructor(props) {
    super(props)
    this.state = {
        isSignedIn: false,
    }
}

Add the button to the component

render() {
  return (
    <div className="App">
        <header className="App-header">
          <img src={logo} className="App-logo" alt="logo" />
    
          <p>You are not signed in. Click here to sign in.</p>
          <button id="loginButton">Login with Google</button>
        </header>
      </div>
  )
}

Wait, how do I avoid showing this if the user is signed in? We can use the state to conditionally show it.

getContent() {
  if (this.state.isSignedIn) {
    return <p>hello user, you're signed in </p>
  } else {
    return (
      <div>
        <p>You are not signed in. Click here to sign in.</p>
        <button id="loginButton">Login with Google</button>
      </div>
    )
  }
  
}

render() {
  return (      
    <div className="App">
      <header className="App-header">
        <img src={logo} className="App-logo" alt="logo" />
        <h2>Sample App.</h2>

        {this.getContent()}           
      </header>
    </div>
  );
}

• Since conditionals are a little hard to write with inline JSX, I've pulled out the conditional block to another method to provide the component that we want.

At this point, you'll have a button that does nothing (the best type of button) and you'll see the "You are not signed in" message

add sign-in

To finish setting up google sign-in, you'll want to initialize the library using gapi.auth2.init(). A good place to do that is inside of componentDidMount() callback.

componentDidMount() {
  window.gapi.load('auth2', () => {
    this.auth2 = gapi.auth2.init({
      client_id: 'YOUR_CLIENT_ID',
    })
  })
}

To use the default styling, use the gapi.signin2.render method when initializing your component.

onSuccess() {
  this.setState({
    isSignedIn: true
  })
}

componentDidMount() {
  window.gapi.load('auth2', () => {
    this.auth2 = gapi.auth2.init({
      client_id: 'YOUR_CLIENT_ID.apps.googleusercontent.com',
    })

    window.gapi.load('signin2', function() {
      // render a sign in button
      // using this method will show Signed In if the user is already signed in
      var opts = {
        width: 200,
        height: 50,
        onsuccess: this.onSuccess.bind(this),
      }
      gapi.signin2.render('loginButton', opts)
    })
  })
}

When using this method, the button will automatically show whether you're signed in, but the onSuccess callback won't actually run unless the user clicks it when it says "Sign In". Otherwise, you are logged in automatically. One way to hook into the end of that auto sign in process is by adding a callback to the promise returned by gapi.auth2.init:

window.gapi.load('auth2', () => {
  this.auth2 = gapi.auth2.init({
    client_id: 'YOUR_CLIENT_ID.apps.googleusercontent.com',
  })

  this.auth2.then(() => {
    this.setState({
      isSignedIn: this.auth2.isSignedIn.get(),
    });
  });
})

making a "protected" route

If you're using react-router and you want to add a "protected" route to your React app, you can hijack the render prop of a <Route>. You can do something like this:

authCheck(props, Component) {
  return this.auth2.isSignedIn.get() ? <Component {...props} /> : <UnauthorizedPage/>

}

render() {
  ...
  <Route path="/home" render={this.authCheck.bind(this, HomePage)}/>
  ...
}

By hooking into the render property on <Route>, you can dynamically define what component will load when you try to access that Route.

This is the strategy employed by the react-private-route project library to make it a little bit easier to write, definitely worth checking out.

If you'd like to check out what this pattern looks like, you can check out my video below to see an example app with private routes: [embed]https://youtu.be/BC4QEliL-4Y[/embed]

conclusion

If you're implementing google sign-in in a React app - check out my github repo intricatecloud/google-sign-in-demo to see all the code above in a working setup.

Throughout this 3-part series, we've covered going from a hello-world example of google sign-in, to using the javascript library to do some hacky things. Now, we've reviewed all the code you need to integrate with the Google Sign-In button.

EDIT: 12/2020 - I've made a new tutorial to walk you through stepping up your user's experience by setting up passwordless login with Google One Tap Sign In for Web

There wound up being a total of 20k shortlinks, which meant that:

• I needed to be able to upload 20,000 in one go, it needed a scriptable API
• whatever we used needed to be around for at least 6 months to be available during a certain review period
• the links needed to work, and be available
• we needed to be able to create the redirects from a Google Sheet
• they wanted to know if/when links were clicked

We ultimately landed on a solution with just AWS that comes out dirt cheap - but there were a few things we had to consider first.

Why not just use something like bit.ly?

For this specific case - based on their pricing, we'd be in the enterprise range under the "Contact Us for a Quote" plan which puts us north of $400/year (and a "quick call" with an account manager) for something I only need once.

$400/year sounds steep for something that ...should.... be simple and cheap. 301 redirects have been around since 1999 (20 years ago!) - why isnt this a solved problem! (it kinda is, but it isnt)

Even outside of enterprisey considerations,

• bitly comes with its own limits for the free tier, and even doing something like bulk redirects needs to be on their enterprise plan.
• 30/month for their basic plan is a bit steep for some 301s, and we can do it for cheaper. (you trade off some features though, primarily analytics - if you dont care about that, fantastic!)

Apart from that, its a good opportunity to learn the ins & outs of AWS, it doesnt involve a lot of services. If you're familiar with Cloudformation or Terraform, you can set it all up that way.

How do you build it?

We worked out a solution using Cloudfront + S3, where your Objects have a Website-Redirect-Location metadata attached (see docs here). We built it out in an afternoon, and had all 30k redirects generated and working, and it costs just a few bucks/month to run.

Let's say you own short.url and you want to be able to have short.url/2019barbecue redirect to a Facebook page.

At a high level, take a look at this architecture (images courtesy of cloudcraft.co):

You point your domain (which can be hosted anywhere, doesnt need to be route53) at a Cloudfront distribution that sits in front an S3 bucket served as a website. In that bucket are many objects, with the Website Redirect Location metadata set to redirect to our target url - short.url/2019barbecue redirects to example.com

Are your redirects business critical?

Maybe you're running a launch and you need people to click a link. You are now responsible for uptime and so AWS' uptime is your uptime.

In this case, your availability is the minimum of either Cloudfront or S3 (99.9%) - you do, however, have the benefit of a globally distributed CDN… and a highly durable and replicated object store… with failover to another region in case it craps out - not to mention its cheap-ish to implement.

Do you want analytics?

Bitly analytics are pretty neat - thats a tradeoff since its something you'll need to do yourself - but if you already have an analytics/monitoring platform, you can get your data through there. For things on my personal site, I don’t care for seeing analytics - i just want to share a customized short link.

Out of the box, you get some level of Cloudwatch monitoring around Cloudfront including error rates, data in/out, and total requests. (full list here)

If you want more info, then you need to dump Cloudfront access logs to another S3 bucket and use Athena (the docs for that here) for some quick analytics to see things like source IP, referer, requested path, response code

Any gotchas i should be aware of?

Be mindful of updating where a redirect points to. 301 redirects CAN be cached indefinitely by your browser since the spec indicates a 301 means Permanent Redirect.

If someone has already clicked your link before, it's possible that they may be taken to the old location for some period of time. In practice, I've seen a long tail of requests to the old value of the redirect kinda like this:

302 redirects are meant to be temporarily cached, so it has less issues. Some architectures limit you to 301 redirects, others give you the option to do a 302. In this case, Cloudfront + S3 only lets you do 301s and thats just a constraint we need to deal with unless we want to throw Lambda in the mix as well.

Wrapping up

If you find yourself needing to create some customized short links or redirects, consider using Cloudfront + S3 to serve them using the architecture above - you get all the benefits of an enterprise-grade solution at a fraction of the cost if you're already familiar with AWS.

I'm working on a series of posts to thoroughly explain how to set up short links on AWS. Next up, I'll be covering how to set up the short links in the console, and then how you could do it in terraform.

In this guide, I'll go over

• what do our redirects/short links need to be able to do
• how to set it up via the console if thats what you're comfortable with, or doing it via the AWS node SDK.
• How to check that its working
• A few things to check when it doesn't (it never really works the first time, doesn't it?)

What do we need out of our short links?

• I need to be able to create custom links to redirect
• I need to be able to change them later
• I want to see traffic to the redirect, and how many times they've been clicked (this will be part of another post)

Technical Requirements:

• Highly Available, Redundant (99.9% SLA)
• Serve HTTPS 301 redirects
• Serverless. Cloudfront + S3 means we don't have any servers to manage.

This is the architecture we're going to set up on AWS:

In short, we have...

• a CloudFront CDN which gives us free HTTPS for our domain (courtesy of AWS Certificate Manager)
• An S3 bucket with Cross-Replication enabled to another bucket in another region
• Each redirect is stored as an object with the Website-Redirect-Location metadata pointing to our redirect

Setting it up via the console

Step 1: Set up Cloudfront + S3

I've set up this diagram for one of my domains - gotothat.link so I'll show you how I've set that up.

I own gotothat.link using Route53 as my registrar. You don't need to have your domain on AWS Route53 if you want to host your short links on AWS - if you have one already via something like GoDaddy or Namecheap, thats fine too, you can use that.

Cloudfront will be providing an HTTPS URL that we can use using S3 as an origin which will serve our redirects. Cloudfront will have its logs piped to another bucket, and we can get some metrics out of that.

An S3 bucket will be used to store the actual redirects.

For an in-depth guide on setting up those 2 services, you can check out my post which walks you through setting up via the console or if you want to set it up with terraform.

Once you have Cloudfront deployed and connected to your S3 bucket, we can add our redirects.

Step 2: Add a redirect

Create an empty file and upload it to the console, with Website-Redirect-Location metadata pointing to the URL you want to redirect to. In this case, I've uploaded an empty file named not-a-rick-roll and added the metadata to point to a particular YouTube video.

You can use the default permissions, default storage type, and no need for encryption.

In the screenshot, you'll see theres a warning under the Metadata header - You cannot modify object metadata after it is uploaded. I'm sure theres a reason this is included, but I've been able to just go into the object's metadata and change the values from the screen below.

By default, S3 will add a Content-Type metadata to your object when you upload it. So you can see in the screenshot that the Content-Type has been set to binary/octet-stream which implies this link will return some file. Its worth noting in this case, that by adding the Website-Redirect-Location metadata to your object, S3 will serve up a HTTP 301 Redirect to your target redirect - a 301 response only needs to include a Location header specifying the redirect. So it doesn't quite matter what the Content-Type is on your object. You can leave it alone, or delete it.

Thats it! Assuming you have many more of these, you can even automate the creation of your redirects.

Step 3: Automating it

If you use the CLI, you can script it using the AWS CLI - aws s3 cp not-a-rick-roll s3://gotothat.link/not-a-rick-roll --website-redirect "https://www.youtube.com/watch?v=dQw4w9WgXcQ"

If you have your redirects stored in a CSV, you can parse it and upload it using the node aws-sdk - check out this example:

# redirects.csv

notarickroll,https://youtube.com/video
no/really/not/a/rickroll/video, https://youtube.com/video

// redirects.js

const parse = require('csv-parse/lib/sync')
const fs = require('fs')
const AWS = require('aws-sdk')
const s3 = new AWS.S3();

const redirects = parse(fs.readFileSync('redirects.csv'))
redirects.forEach((redirect) => {
    console.log('Uploading ', redirect)
    s3.putObject({
        Body: '',
        Bucket: 'gotothat.link',
        Key: redirect[0],
        Metadata: {
            'Website-Redirect-Location': redirect[1]
        }
    }, (err, data) => {
        if (err) return console.log(err)
        console.log('done')
    })
})

Verify your redirects

You can check to see that its working by using good ol' curl to make a request to your site - gotothat.link, and verify that you get back a 301 redirect for that object. This is what the output of that command looks like:

☁  intricate-web  curl -i https://gotothat.link/not-a-rick-roll
HTTP/2 301
content-length: 0
location: https://www.youtube.com/watch?v=dQw4w9WgXcQ
date: Sun, 22 Sep 2019 01:52:57 GMT
server: AmazonS3
x-cache: Miss from cloudfront
via: 1.1 96b6c9282feceea8aa00c25902322bb6.cloudfront.net (CloudFront)
x-amz-cf-pop: EWR53-C1
x-amz-cf-id: rNwzh3rL-ErWpi0YuDrqQcCvvmbqa_ZWj7cPl71WrPPi1vlFbW0siA==

You now have URL redirects served out of your own domain so you can do things like gotothat.link/not-a-rick-roll (check it out - its totally not a rick roll 😎)

Troubleshooting

If you change a redirect and you don't see it taking effect, there might be one of two things happening:

• If you're trying this in your browser, you might have a cached version of the redirect. Open an incognito window and try it there.
• Cloudfront is still sending you back a cached version of the redirect. You'll have to use curl to inspect the request so you can see whats happening.

☁  intricate-web  curl -i https://gotothat.link/not-a-rick-roll
HTTP/2 301
content-length: 0
location: https://www.youtube.com/watch?v=dQw4w9WgXcQ
date: Sun, 22 Sep 2019 01:52:57 GMT
server: AmazonS3
x-cache: Hit from cloudfront
via: 1.1 c67ae9899d89f9402837da3a0ead9442.cloudfront.net (CloudFront)
x-amz-cf-pop: EWR53-C1
x-amz-cf-id: 7pDL0XgVjGmdMqcHf7tSsRILd0WfZpihpLF66SYVJLlzqfCJG2PMRg==
age: 4

In this example, we want to pay attention to the x-cache & age response header. In this case, it says Hit from cloudfront and the age == 4. The age is the time that object has been in the cache. If you've updated your redirect recently, and you're still seeing an old redirect in your response headers, then you'll need to invalidate your Cloudfront cache. You can do that from the Invalidations page

You'll know it updated when the age response header shows something recent.

There you have it! By this point, you should have your own domain sending you back redirects that you can monitor yourself. Now, this isn't the whole story because theres still a feature or two that we need to set up.

Then AWS dropped the bombshell during re:invent 2018 that Cloudfront can now support it by using Origin Groups - Announcement

In this post, I'll show how you can configure this for an existing site via the console.

Adding an origin group to your Cloudfront distribution

I was working on this for one of my websites - gotothat.link - its not a static website, but its just a site that serves a bunch of redirects so all the same rules apply.

Step 1 - Configure replication on your S3 bucket

Go to the replication settings page for your S3 bucket.

If you haven't yet enabled Versioning, it will tell you that you're required to do so.

Enable replication for the entire bucket by clicking Add Rule. For our use case, we don't need to encrypt the replicated contents.

You can follow the prompt to create a new bucket in us-west-1 - N. California.

Once you've created the S3 bucket, make sure to update the bucket policy on your new replication bucket to allow the static website hosting to work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::gotothat.link-west-1/*"
        }
    ]
}

For the IAM role, I'll let the console create one for me - this is whats generated automatically for you

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::gotothat.link",
                "arn:aws:s3:::gotothat.link/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetObjectVersionTagging"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::gotothat.link-west-1/*"
        }
    ]
}

Once you click Save, you should see this panel appear now when you're on the Management page of your S3 bucket.

Step 2: Replicate data

Replication is now enabled. But we're not quite done.

When you enable replication, any objects created/modified from that point forward are then replicated to your target bucket. Any existing objects are NOT automatically transferred over - you have to do a one-time sync when you first set it up.

If all you have in your bucket is your website files and nothing else, then you can do an aws s3 sync s3://source.bucket s3://target.bucket to import all your existing objects. Depending on how much is in there, it can take awhile.

If you have some objects in your source S3 bucket that require you use the Website-Redirect-Location metadata (this is needed if you want to serve redirects out of your domain like this):

• You cannot do a sync with the replicated bucket using something like aws s3 sync s3://my-bucket-name s3://my-bucket-name-us-west-1. While the sync may succeed, your redirects will not. This is annoying.
• The S3 docs state that Website-Redirect-Location isn't copied over when using a sync command, although it doesn't specify why. See docs here
• However, Objects that are automatically replicated will keep their Website-Redirect-Location metadata. But any files that are aws s3 sync'd between 2 buckets will not have that metadata.

Last step is to go to the replicated bucket, select Properties, and enable Versioning + Static Website Hosting for it. If you forget this, you won't receive the 301 redirect.

At this point, you should have a bucket in another region, with all the same contents as your primary bucket, with static website hosting enabled.

Configure Failover in CloudFront

Create a new origin with an origin id like gotothatlink-failover-prod and use the URL of the form gotothat.link-west-1.s3-website-us-west-1.amazonaws.com

Create a new origin group and add your two origins at the prompt. The primary origin will be our original S3 bucket, and the secondary origin will be the new failover origin we created.

For the failover criteria, we can check all the 5xx status codes since that would imply issues happening in S3. You can check 404s if you want to protect against someone accidentally deleting all your data, or 403 Forbidden errors to protect against accidental bucket policy changes.

Next, go to the Behaviors tab, and make sure to update the behavior to route all paths to your Origin Group (and not your Origin). Otherwise, even if it fails over, it will still send requests to your primary origin.

After you've set these changes, you'll have to wait for the CloudFront distribution to finish updating (could take up to a half hour).

Test it by "accidentally" trashing your primary bucket

Since I've enabled failover on 404 errors, I'll run a test where I delete everything in my bucket. I ran aws s3 rm --recursive s3://gotothat.link/.

And now to save you boatloads of time - here is every error I ran into when setting this up.

Troubleshooting:

• You get a 404 - Cloudfront is still looking at your primary bucket. Turns out I hadn't updated the Behaviors for the CloudFront distribution - remember you need to change the behavior to stop looking at the primary origin and look at the origin group.
• You get a 403 - Your replicated bucket has incorrect permissions. See the section above labeled "Configure replication on your S3 bucket" to see the required bucket policy.
• You now get a 200 - your object doesn't have the Website-Redirect-Location metadata associated with it
  • Take a look at the replicated object by doing the following - note that it includes WebsiteRedirectLocation
  • If you've used aws s3 sync to do a one-time replication of your objects - see the section "Step 2: Replicating data" on why that might have been a problem.

☁  intricate-web  aws s3api get-object --bucket gotothat.link-west-1 --key newvideo  newvideo-1
{
    "AcceptRanges": "bytes",
    "LastModified": "Sun, 22 Sep 2019 05:21:08 GMT",
    "ContentLength": 0,
    "ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
    "VersionId": "dynNjEGPeE3.z6kCCp.zgvVlbYkA.h3X",
    "ContentType": "binary/octet-stream",
    "WebsiteRedirectLocation": "https://youtube.com/video",
    "Metadata": {},
    "ReplicationStatus": "REPLICA"
}

Wrapping up

If you're doing it via the console, this doesn't take long to set up. Its a handful of steps that you can do in < 30 mins that will give you extra confidence that your site is backed up, and still functional even if S3 goes down (it usually has a high-profile outage at least once a year).

With this solution in place, you have an HTTPS website served from a global CDN with automatic failover in case of an S3 outage or data loss in your primary bucket so that you don't need to take any downtime. All this for just a few bucks a month. :mindblown:

The easiest approach is to disable DOMSanitizer and the recommended approach on Stack Overflow is to create a safeHtml pipe so that you could write <div [innerHtml]="content | safeHtml">. It's a few lines of code if you just want to drop it in - see the answer here.

But before jumping right into a solution that disables a security feature thats on by default, lets think about what we're doing for a second.

Why disable it at all?

The use case that I (and apparently many others) have is that I want to display user generated HTML content - ranging from small snippets to entire HTML pages. The issue is that DomSanitizer is stripping too much out of my HTML, and there's no way to configure its rules. In my case, I had <span style="background-color:red"> spans with inline style attributes as well as a <style> block.

DomSanitizer has its own rules about what is considered "safe" HTML. Its not wrong - I'm sure they have a good reason and they provide a safe default. As an example, Take a look at the source for DomSanitizer that shows what HTML attributes are "whitelisted". I have both <style> tags and inline styles on element - both of which it doesn't like and so it gets removed out of my HTML. No, I have no control over the source HTML.

:( Thats annoying. In this case, I kinda have to throw the baby out with the bathwater. I have to turn it off completely so that it works for what I need, but I lose all the Angular guardrails. No bueno.

bypassing DomSanitizer

DomSanitizer offers a few methods to allow you to bypass only certain parts of your content - but it doesn't quite work for user-generated HTML. Here's why.

sanitizer.bypassSecurityTrustScript(content) - content is expected to be javascript content and not HTML containing javascript content. Now it would be wonderful if I could keep this part because I don't expect my user-generated HTML to contain <script> tags (and they're cleaned out at the server-side) but I don't have the option of use the script sanitizer on my HTML content.

sanitizer.bypassSecurityTrustStyles(content) - content is expected to be CSS content, and not HTML containing a <style> tag. I can't use this method because my HTML contains style elements that are getting stripped. Welp. :shrug:

sanitizer.bypassSecurityTrustHtml(content) - content is expected to be an HTML snippet or an entire page and it leaves all your content untouched - which is NOT RECOMMENDED at all. Unfortunately, I have no other option around it.

So then, how can you stay safe from XSS attacks in Angular?

If you find yourself in this predicament where you have to bypass DomSanitizer - hopefully I can save you some time and show you what I've found.

Yes, you'll have to pull yet-another-dependency into your app, but the open-source JS community comes to the rescue. The following libraries were popular on npm & github, worked on both the server-side and client-side, with a configurable sanitizer using whitelists/blacklists and other cool features. Definitely worth checking out.

punkave/sanitize-html A popular option with a very succint and obvious name. Under recent active development.

cure53/dompurify DOMPurify has a publicly available security audit report from 2015 which has just 2 major vulnerabilities for IE9. Also worth a read if you want to learn what a DOM Clobbering attack is. Check it out here.

how to use it in place of DomSanitizer

Here's what my safeHtml Pipe looks like:

import { Pipe, PipeTransform } from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser';
import DOMPurify from 'dompurify';

@Pipe({
  name: 'safeHtml'
})
export class SafeHtmlPipe implements PipeTransform {

  constructor(protected sanitizer: DomSanitizer) {}
 
 public transform(value: any, type: string): any {
     const sanitizedContent = DOMPurify.sanitize(value);
     return angular.bypassSecurityTrustHtml(sanitizedContent);
    
  }
}

You can lean on an html-sanitizing library to clean your content first, so that you can bypass the sanitizer without losing the benefits of the XSS protection.

Wrapping up

Just a reminder - you can never trust the client/browser. Always sanitize on the server-side where you can guarantee that you don't save any malicious content.

If you're using nodejs on the server-side, then this will work perfectly for you. If you find yourself needing to sanitize html on the client-side however, bring in one of the sanitizing libraries so you get some protection from XSS attacks when a built-in like DomSanitizer doesn't meet your needs.

I'm interested to hear from other people who solved this problem - leave a comment if you took a different approach, or just disabled it entirely!

• Angela, the senior dev who broke up with her partner and is emotionally devastated and needs to take a few days
• Oscar, the new dev, saying he needs a few more days to refactor a logging module that needs a "cleaner" interface.
• Kevin the PM who keeps making these damn status meetings
• Michael, the sales guy who keeps promising features that don't exist yet

You spend all your time drowning in problems, trying to keep everyone happy. You found out that multiple teams were depending on your work only after it all fell behind. People start looking to you for answers, and you don't have any. You stopped caring. You're burnt out. I've been there myself. :wave: hi.

Almost as if the presence of programming skills also indicated that the person can manage a project with many other people. There are, at least, a good chunk of people (developers included) who honestly believe this. It sounds wrong, doesn't it?

How I started as a lead

First time I became a lead, I had no prep other than being a teammate and so my only goal for my first few months was to do everything the last person did - like I imagine the person before them did, and the person before them... I also started reading everything I could about being a tech lead - check out my list here

I also decided to keep taking on the same amount of work I usually did, in addition to my tech lead responsibilities. Sound familiar? :raises_hand: I

They were in a lot of meetings, so I felt I had to be in a lot of meetings. That blew apart my schedule for the week because I couldn't work on some relatively important things, and so schedules fell behind quickly after that. I would stay late at the office (seemed to be common among tech leads or maybe just consultants), and spend long evenings catching up on extra work after people started leaving for the day. In my bachelor days, this was fine - I had no other responsibilities and coding was fun - thats the excuse anyway.

All this meant that my days were filled with meetings and other "administrivia", my evening/nights were filled with coding, and I started burning myself out over time.

Anyway, long story short.

Here's a couple tips to help you avoid burnout as a new lead

1. Plan your time carefully

Block out time on your calendar to manage your week, set hard boundaries between when you start/end the day (especially if you work remotely) and stick to it.

You probably don't need to attend every meeting thats on your calendar. But if for some reason, you are required, depending on the meeting, I'll multi-task and be a "fly on the wall" and just listen, other times I'll have to be an active participant.

If you need to set aside a day to do some hands-on dev work, put it in the calendar and decline everything else. Unless you're working on life/death scenarios, it could probably wait until later. Some people have No Meeting Thursdays, Code Review Afternoons... Call it whatever you want.

When performance review season rolls around, its even more helpful to block out time to prepare everyone's review. I've tried to write all my reviews the night before in one week for my team, and it wound up taking me HOURS for each person as I tried to remember everything they did.

2. Stay out of the critical path

The critical path in a project is the set of tasks that NEED to be accomplished in order for something to work. For example - if you're building a feature that adds a button to your site, adding a linter or a CSS theme to your project is not required for that button to work. The button itself is obviously the important work.

As a tech lead, you gotta stop picking up any of that important work. If its a time sensitive thing, and you aren't able to get it done in time, it'll have some downstream consequences, and start blocking other projects from getting done. Thats what your team is for - they can go heads down on the work.

But what if some of your team doesn't know how to make changes to your CI/CD pipeline, or the front-end dev hasn't worked on backend SQL queries? Its on you as the lead to support the team to do the work - like that time we hired a junior dev who knew python and just a little javascript to do front-end work in an Angular app. He had never worked with a full-blown framework with all the bells and whistles before, but we had bugs to fix and no time to kill, and sure enough, with some training and mentoring, he got up to speed and started cranking through bugs.

Now, its important you stay technically involved at some level, but your focus will be on the big picture, like making sure that important features are getting shipped, and less on the small details, like why is [1,2,3].flatMap throwing an error.

Want to make your week easier? Try these to start.

• start with blocking out a 4 hour chunk one day a week for heads-down coding time and decline everything. See how it goes and you can adjust depending on your workload.
• Take a look at upcoming work that you would usually do like adding a new API endpoint to a backend, and offer to pair with another dev so that they can learn how to do that work.

If you're a new tech lead, definitely check out some of the 9 books that helped me navigate my first time being a tech lead. I'd like to hear from you - what were some of the things that frustrated you when you first became a tech lead?

• Some JS code is meant to run in the browser, some JS code can only run on the server-side.
• es6 != es2016, es5 != 2015, esNext/es8, HOW OFTEN IS THIS CHANGING?! I found this explanation helpful
• Webpack? Babel? I didn't think I'd need to deal with this just to share some code!

I mean, I get it. But why do I need 147 MB in node_modules just to share 10 lines of code!

Recently at work, I tried to extract some 20-something lines of javascript into a re-usable npm library to share between a few projects. I thought it would be easy and straightforward, and when I found out it wasn't, I started putting together this post to help guide people through what it takes to build a reusable npm package.

In this guide, I'm going to create a react app that loads random images of dogs, cats, and goats. Why those 3? :shrug: They were 3 random things I found on public-apis. Then I'll take that code, and turn it into a re-usable npm package that can be used in the browser and node with webpack, babel, and typescript.

I'm also including the intricatecloud/reusable-js-demo repo here so you can take a look at the project. Best way to follow along is to look at each commit to see each change that I'm specifically making (they are also linked after each section in the post). I've shortened some of the interesting bits here for brevity.

Building Random Animal Demo

Step 1. Create the app and run it

$ npx create-react-app random-animal-demo
$ cd random-animal-demo
$ npm start

Check out the full commit 582d2b

Step 2. Hook it up to some apis

In the app, I'm going to display a dog, cat, and goat picture. I'll tweak some of the boilerplate in the react demo app. I took the default react stuff that was there, and refactored it to show an image and some text. Now I'll integrate these free apis by using axios to make requests (it works in the browser, and in node).

We'll use these APIs which allow us to call them from the browser.

https://aws.random.cat/meow https://random.dog/woof.json http://placegoat.com/200

You'll notice each API works slightly differently. The cat API returns a JSON object with a file property. The dog API returns a JSON object with a url property. And the goat API returns the image itself. I added some logic to componentDidMount() to run it on a timer so that it cycles every few seconds

const DOG = 0
const CAT = 1
const GOAT = 2

switch(newIndex) {
case CAT:
    axios.get('https://aws.random.cat/meow').then((response) => {
        const imageSrc = response.data.file
        const text = 'CAT'
        this.setState({currentAnimal: {imageSrc, text}})
    })
    break;
case DOG:
    ...

Check out the full commit 3dd98c5

Step 3: Choose how you want to import your file

Once you want to pull the logic into another file, you have to decide how you want to import it. There are a few options for how you want to import it:

ES6 Imports - if you want to use import AnimalApi from 'animal-api'

animal-api.js

export default {
    getDog: () => ....
    getCat: () => ....
    getGoat: () => ....
}

ES6 Destructured Import - if you want to use import { getDog, getCat, getGoat } from 'animal-api'

animal-api.js

export const getCat = () => ....
export const getDog = () => ....
export const getGoat = () => ....

CommonJS - if you want to use const AnimalApi = require('animal-api')

animal-api.js

module.exports = {
    getDog, getCat, getGoat
}

When would you choose one over the other?

If your app only needs to work in a browser, and only in the context of React (or Angular2+ or environment that uses ES6 modules), then you're fine with using an ES6 import.

If your lib is meant to be used in the browser, and you need to include it in a vanilla JS HTML app, you need to use a bundler like webpack to bundle your app as a lib.

If you use webpack and take advantage of code splitting and tree shaking, you can use ES6 Destructured imports. What this means is rather than include all of lodash in your app, you can only include the functions you want and you'll have a smaller built app.

If you're writing an app or a library that needs to run in BOTH the browser, and in node, then you'll need to produce a few different versions of your library: one meant for the browser (as a script tag), one as an es6 module, and one for using in node.

For this guide, we're going to be writing an ES6 module, so we can target using import AnimalApi from 'animal-api'.

Step 4: Extract some of this out into an npm library

Would you really pull some of this out into a lib? Probably not. But this is an example of how complex something that looks so simple could be. So bear with me.

I can modify my App.js file to use this new file:

 import React from 'react';
 import axios from 'axios';
+import AnimalApi from './animal-api';
 import './App.css';

 class App extends React.Component {
@@ -28,23 +29,19 @@ class App extends React.Component {

       switch(newIndex) {
         case CAT:
-          axios.get('https://aws.random.cat/meow').then((response) => {
-            const imageSrc = response.data.file
-            const text = 'CAT'
-            this.setState({currentAnimal: {imageSrc, text}})
+          AnimalApi.getCat().then((animal) => {
+            this.setState({currentAnimal: animal})
           })
           break;
         case DOG:
         ...

src/animal-api.js

const getCat = () => {
    return axios.get('https://aws.random.cat/meow').then((response) => {
        const imageSrc = response.data.file
        const text = 'CAT'
        return {imageSrc, text}
    })
}
...
export default {
    getDog,
    getCat,
    getGoat
}

Check out the full commit 37c3a3a

Next, we're going to move this logic to its own npm package.

How to package your library so that it can be used

Create a new npm library locally

Create a new folder outside of your React project for the npm package we're going to make.

$ mkdir animal-api
$ cd animal-api
$ npm init

You can use all the defaults for the npm init command which creates a package.json file like this:

{
  "name": "animal-api",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}

Then I'll copy paste all of the code thats in my random-animal-demo into animal-api/index.js, ready to be used with import AnimalApi from 'animal-api'.

Because this is a library, we'll want to add some tests to this to make sure this library is working. I like using jest, so I'll pull it in: npm install --save-dev jest

I'll then create animal-api/spec/index.spec.js:

import AnimalApi from './index'

describe('animal-api', () => {
    it('gets dogs', () => {
        return AnimalApi.getDog()
            .then((animal) => {
                expect(animal.imageSrc).not.toBeUndefined()
                expect(animal.text).toEqual('DOG')
            })
   })
})

Check out the full commit 6d797c

Now run jest:

☁  animal-api [master] ⚡ jest
 FAIL  spec/index.spec.js
  ● Test suite failed to run

    /Users/dperez/workspace/animal-api/spec/index.spec.js:1
    ({"Object.<anonymous>":function(module,exports,require,__dirname,__filename,global,jest){import AnimalApi from '../index';
                                                                                                    ^^^^^^^^^

    SyntaxError: Unexpected identifier

      at Runtime.createScriptFromCode (node_modules/jest-runtime/build/index.js:1059:14)

Test Suites: 1 failed, 1 total
Tests:       0 total
Snapshots:   0 total
Time:        0.834s
Ran all test suites.

And I thought this would have been the easiest part. Apparently, jest doesn't like the use of the import statement.

At the moment, with just an index.js file and jest, its going to be running inside a node.js environment where import is not yet supported. (This walkthrough is using node 10).

This is where babel comes into play. babel will transpile ("translate/compile") your js files from ES6 (where you can use import) and ES5 which node.js supports. Jest has a section on enabling babel support here. We'll have to install a few more packages, and a little configuration.

Run npm install --save-dev babel-jest @babel/core @babel/preset-env and then add babel.config.js

babel.config.js

module.exports = {
  presets: [
    [
      '@babel/preset-env',
      {
        targets: {
          node: 'current',
        },
      },
    ],
  ],
};

Then when you run jest, you get to the next error

☁  animal-api [master] ⚡ jest
 FAIL  spec/index.spec.js
  ● Test suite failed to run

    Cannot find module 'axios' from 'index.js'

Aha, progress. Now it knows how to read the import statement, and the test runs. Now i'm missing a dependency - axios. npm install --save axios. Now re-run jest and all green!

☁  animal-api [master] ⚡ jest
 PASS  spec/index.spec.js
  animal-api
    ✓ gets dogs (161ms)
    ✓ gets cats (69ms)
    ✓ gets goats

Test Suites: 1 passed, 1 total
Tests:       3 passed, 3 total
Snapshots:   0 total
Time:        1.148s
Ran all test suites.

Check out the full commit fafc23a

Next up, we'll go through a few scenarios for how to include this package in another project

Scenario 1: A lib that only needs to work in a browser, and you're using React/Angular2+ (ES6 modules).

I'm at a good spot now where I can try including this library in my react app. Rather than publishing the npm package publicly, I'll just "install" it from the folder on my machine. I'll switch back to my react app and run npm install ../animal-api

My package.json now looks like this:

     "@testing-library/user-event": "^7.2.1",
+    "animal-api": "file:../animal-api",
     "axios": "^0.19.2",

I can try using it from the React app. Back to App.js

 import React from 'react';
-import axios from 'axios';
-import AnimalApi from './animal-api';
+import AnimalApi from 'animal-api';
 import './App.css';

Check out the full commit a802898

Boom! Everything works! Fantastic, I've now got a publish-able package. By coincidence, theres already an animal-api published to npm so I wont bother adding yet-another-one. If all you need to do is share some code thats going to be used in a React/Angular framework (where you can use import), then you can stop right here. Move on with your life and be grateful you don't need to read Scenario 2.

Scenario 2. Using the library in a browser using a script tag

This is where we want to create a file that be included as a script tag.

In your animal-api directory, create index.html, run a local webserver with npx http-server and visit your page http://localhost:8080:

index.html

...
<div id="imageSrc"></div>
<div id="text"></div>
...
<script src="./index.js"></script>
<script>
    AnimalApi.getDog().then(function(animal) {
        document.querySelector('#imageSrc').textContent = animal.imageSrc
        document.querySelector('#text').textContent = animal.text
    })
</script>

Check out the full commit df79f05

The first error I get with this is:

index.js:1 Uncaught SyntaxError: Cannot use import statement outside a module
index.html:11 Uncaught ReferenceError: AnimalApi is not defined
    at index.html:11
(anonymous) @ index.html:11

This is saying that the browser can't run your file that contains import statements. We used babel before so that jest was able to use the import keyword. We have to do something similar here. The only difference is that we need to save the "transpiled" output so we can include it in the browser. Since we already have babel as a dependency in animal-api, we can use it to convert to a UMD module

$ npm install --save-dev @babel/plugin-transform-modules-umd @babel/core @babel/cli

Then we can run babel index.js -d lib which will create a lib/index.js file ready to be consumed as a script tag in your browser. Now I can update my script tag to point to this other file.

     </body>
-<script src="./index.js"></script>
+<script src="./lib/index.js"></script>
 <script>
     AnimalApi.getDog().then(function(animal) {

Once I refresh the page, one error goes away, the other one stays.

index.html:11 Uncaught ReferenceError: AnimalApi is not defined
    at index.html:11

We haven't configured the babel plugin that creates the UMD module to use the name that we want. Because our file is named index.js, we'll update our babel.config.js to this:

babel.config.js

 module.exports = {
+    plugins: [
+        ["@babel/plugin-transform-modules-umd", {
+        exactGlobals: true,
+        globals: {
+          index: 'AnimalApi'
+        }
+      }]
+    ],
     presets: [

Re-run babel index.js -d lib, and refresh the page

And now I get a new error! Progress!

Uncaught TypeError: AnimalApi.getDog is not a function
    at index.html:8

This one is a head scratcher. Whatever babel is doing to this file, I'm losing access to my functions. Lets take a look at what the transpiled file looks like lib/index.js. In this file, I notice 2 things:

global.AnimalApi = mod.exports;
...
var _default = {
    getDog,
    getCat,
    getGoat
  };
  _exports.default = _default;

This suggests that there is a .default property on my AnimalApi global object. This is a small detail thats usually invisible when you're using the import axios from 'axios' syntax. An ES6 package will provide a "default" export, and when you use the import statement, it knows to look at .default property for you, so you don't need to write it.

Lets update our code to match that:

AnimalApi.default.getDog().then(function(animal) {
    ...
})

Now, when we refresh the browser, we get our next error:

index.js:36 Uncaught TypeError: Cannot read property 'get' of undefined
    at Object.getDog (index.js:36)
    at index.html:8

Check out the full commit 5da97d8

This is failing to call axios.get because axios is undefined. All we did was transpile the index.js file. The code for axios isn't there, and the browser doesn't know that its supposed to search your node_modules directory for it (nor can it).

What we need to do is create one js file, that has all the dependencies of that library built into it, so that you only need to add the 1 script tag to your site. Babel can't handle your dependencies, it can only translate.

We now need to introduce our 2nd tool: webpack!

We'll use webpack to take a look at our file, and everything that is import'd/require'd will then get "packed" into one file.

We'll install webpack

$ npm install --save-dev webpack webpack-cli

And add the following to webpack.config.js

const path = require('path');

module.exports = {
  entry: './index.js',
  output: {
    path: path.resolve(__dirname, 'lib'),
    filename: 'animal-api.js',
    library: 'AnimalApi',
    libraryTarget: 'var'
  },
};

This config will look at ./index.js and create ./lib/animal-api.js which will make the variable AnimalApi available within your javascript, using the var target.

Now run webpack and you'll notice that lib/animal-api.js got a lot bigger, with more gibberish.

Go back to your index.html and update the script tag:

-<script src="./lib/index.js"></script>
+<script src="./lib/animal-api.js"></script>

Check out the full commit 8f865c5

Refresh the page, and success! The data shows up! If thats all you needed, then great. You can stop here. Otherwise....

Scenario 3: Using the library in both the browser AND node

I'll create a plain javascript file that I'll run with node: node node-test.js

node-test.js

const AnimalApi = require('./index.js')

AnimalApi.getCat().then(animal => {
    console.log(animal)
})

I get this error:

/Users/dperez/workspace/animal-api/index.js:1
(function (exports, require, module, __filename, __dirname) { import axios from 'axios';
                                                                     ^^^^^

SyntaxError: Unexpected identifier

We saw this when we tried to run our index.spec.js file with jest before using babel. We're trying to import an ES6 module with require which won't work because import is part of ES6 and node is running against ES5 (for node 10 anyways). We built a lib/index.js using babel earlier in Scenario 1 which contains an ES5 module (that was transpiled from ES6). Lets use that instead:

I now get this error:

☁  animal-api [master] ⚡ node node-test.js
/Users/dperez/workspace/animal-api/node-test.js:3
AnimalApi.getCat().then(animal => {
          ^

TypeError: AnimalApi.getCat is not a function

We saw this earlier in the browser, and saw that we needed to add AnimalApi.default.getCat() because of the way that babel transpiles your ES6 module to a UMD module. Once we update it....

☁  animal-api [master] ⚡ node node-test.js
{ logo: 'https://purr.objects-us-east-1.dream.io/i/v0SoPzk.jpg',
  text: 'CAT' }

Check out the full commit 3cdea87

Success! We can use the ES5 module lib/index.js that was created by babel in order to use the library in node.js.

Scenario 4: You want to use Typescript in your library, but still include it as normal in a React/node project

What if you like using Typescript and would rather create your library using Typescript, but still use it in other non-typescript projects? No fear, there's an easy solution.

I'm going to add an index.ts file which contains the library, only using Typescript. Here's what it looks like compared to our index.js file. We added an interface and added a function signature.

+interface Animal {
+    imageSrc: string
+    text: string
+}
+
+const getCat = (): Promise<Animal> => {
     return axios.get('https://aws.random.cat/meow').then((response) => {
         const imageSrc = response.data.file
         const text = 'CAT'
-        return {imageSrc, text}
+        return {imageSrc, text} as Animal
     })
 }

If we try to run this .ts file straight from react by adding:

App.js

 import React from 'react';
-import AnimalApi from 'animal-api';
+import AnimalApi from 'animal-api/index.ts';
 import './App.css';

When we refresh the app, we see this error:

Module parse failed: The keyword 'interface' is reserved (3:0)
You may need an appropriate loader to handle this file type, currently no loaders are configured to process this file. See https://webpack.js.org/concepts#loaders
| import axios from 'axios';
|
> interface Animal {
|     logo: string
|     text: string

The problem is that React doesn't know what to do with your .ts file. So now you need to convert your index.ts file into something that React can read which would be either an ES6 module, or an ES5 module.

Typescript is able to do this without the help of babel. We can compile our file to an ES5 module that we can then import or require. First, install typescript npm install --save-dev typescript

Add a tsconfig.js to configure your Typescript compiler

{
    "compilerOptions": {
        "outDir": "./dist",
        "lib":["ES2015", "ES2016"],
        "sourceMap": true,
        "noImplicitAny": true,
        "target": "es5",
        "module": "commonjs"
    }
}

When we run tsc, we'll get dist/index.js and that file we'll be able to include from our react project or node-test.js file.

index.html

 import React from 'react';
-import AnimalApi from 'animal-api';
+import AnimalApi from 'animal-api/dist/index';
 import './App.css';

Check out the full commit 2625124

Now when you refresh your pages, success! Now, for the last bit...

Scenario 5: You want to use Typescript to build a lib included as a script tag

When we want to include a library or project using a script tag, we need to use a bundler to make sure that our projects dependencies are included with our library. We used webpack earlier to do this, and without much mucking around, we were able to produce a js bundle that can be included as a <script src="./lib/animal-api.js">

We'll update webpack.config.js to add a Typescript loader which will be able to read your Typescript file and do things with it. We'll still use webpack to bundle it.

Run npm install --save-dev ts-loader to install the loader and then update the webpack config.

webpack.config.js

 module.exports = {
-  entry: './index.js',
+  entry: './index.ts',
+  module: {
+    rules: [
+      {
+        test: /\.ts$/,
+        use: 'ts-loader',
+        exclude: /node_modules/,
+      }
+    ]
+  },
+  resolve: {
+    extensions: ['.ts', '.js'],
+  },
   output: {

Thats all we have to add to our webpack configuration to get this project built and bundled. Once you run webpack, you'll get a new file ./lib/animal-api.js. Go back to your test index.html file to test it out. Thats it!

Check out the last full commit cc18f80

Theres a few things to be aware of. Our very simple library has multiple entry points that need to be maintained.

• If you can consume ES6 modules using import AnimalApi from 'animal-api' then that will rely on your ./index.js file.
• If you want to consume your ES6 module in the browser, you need to use the ./lib/animal-api.js file which will make AnimalApi globally available using the babel plugin, and bundles all the dependencies along with it using webpack.
• If you want to use your ES6 module in node, then you need to use ./lib/index.js, the UMD module that we built with babel.
• If you want to use your Typescript file from another Typescript project, you need to use ./lib/index.ts
• If you want to use your Typescript file in a node.js environment, you have to use tsc to compile it down to an ES5 module that you can then re-use.
• If you want to use your Typescript file in a <script src="mylib.js">, you'll need to use webpack with ts-loader to compile your typescript, bundle all the dependencies, and produce a UMD bundle.

Both your source files, and built files can be distributed with your npm package and left to the user to choose which one they need. But it does require you to put a fair amount of tooling in place to create that convenience.

Wrapping up

Remember, you can follow along commit by commit by checking out the repo here intricatecloud/reusable-js-demo. Drop a ⭐️ if you found it helpful!

Thanks for reading along, hope this helped you understand the differences between the different module types, and how to go about extracting a library from our application that we can use both in and outside of the browser.

If you're interested in more things react - definitely check out my in-depth guide to adding google sign-in to a react app, or my guide to deploying a static website using S3 + Cloudfront with terraform

Whenever you're making a backend API call with axios, you have to consider what to do with the .catch() block of your promise. Now, you might think that your API is highly available and it'll be running 24/7. You might think that the user workflow is pretty clear, your javascript is sane, and you have unit tests. So when you stare at the catch block when making requests using axios you might think - "Well... I'll just console.log it. That'll be fine."

axios.get('/my-highly-available-api').then(response => {
    // do stuff
})
.catch(err => {
    // what now?
    console.log(err);
})

But there are so many many many more things that are outside of your control that could throw errors when making API requests. And you probably don't even know that they're happening!

This post deals mainly with errors you see in the browser. Things can get pretty funny looking on the back end too - just take a look at 3 things you might see in your backend logs

Below are 3 types of errors that could appear, and how to handle it, when using axios.

Catching axios errors

Below is a snippet I've started including in a few JS projects.

axios.post(url, data).then(res => {
        // do good things
})
.catch(err => {
	if (err.response) {
	  // client received an error response (5xx, 4xx)
	} else if (err.request) {
	  // client never received a response, or request never left
	} else {
	  // anything else
	}
})

Each condition is meant to capture a different type of error.

Checking error.response

If your error object contains a response field, that means your server responded with a 4xx/5xx error. Usually this is the error we're most familiar with, and is most straightforward to handle.

Do things like a show a 404 Not Found page/error message if your API returns a 404. Show a different error message if your backend is returning a 5xx or not returning anything at all. You might think your well-architected backend won't throw errors - but its a matter of when, not if.

Checking error.request

The second class of errors is where you don't have a response but there's a request field attached to the error. When does this happen? This happens when the browser was able to make a request, but for some reason, it didn't see a response.

This can happen if:

• you're in a spotty network (think underground subway, or a building wireless network)
• if your backend is hanging on each request and not returning a response on time
• if you are making cross-domain requests and you're not authorized to make the request
• if you're making cross-domain requests and you are authorized, but the backend API returns an error

One of the more common versions of this error had a message "Network Error" which is a useless error message. We have a front-end and a backend api hosted on different domains, so every backend API call is a cross-domain request.

Due to security constraints on JS in the browser, if you make an API request, and it fails due to crappy networks, the only error you'll see is "Network Error" which is incredibly unhelpful. It can mean anything from "your device doesn't have internet connectivity" to "your OPTIONS returned a 5xx" (if you make CORS requests). The reason for "Network Error" is described well here on this StackOverflow answer

All the other types of errors

If your error object doesn't have the response or request field on it, that means its not an axios error and theres likely something else wrong in your app. The error message + stack trace should help you figure out where its coming from.

How do you fix it?

Degrading the user experience

This all depends on your app. For the projects I work on, for each of the features that use those endpoints, we degrade the user experience.

For example, if the request fails, and the page is useless without that data, then we have a bigger error page that will appear and offer users a way out - which sometimes is only a "Refresh the page" button.

Another example, if a request fails for a profile picture in a social media stream, we can show a placeholder image and disable profile picture changes, along with a toaster message explaining why the "update profile picture" button is disabled. However, showing an alert saying "422 Unprocessable Entity" is useless to see as a user.

Spotty networks

The web client I work on is used in school networks which can be absolutely terrible. The availability of your backend barely has anything to do with it, the request sometimes fail to leave the school network.

To solve these types of intermittent network problems, we added in axios-retry. This solved a good amount of the errors we were seeing in production. We added this to our axios setup:

const _axios = require('axios')
const axiosRetry = require('axios-retry')

const axios = _axios.create()

// https://github.com/softonic/axios-retry/issues/87
const retryDelay = (retryNumber = 0) => {
    const seconds = Math.pow(2, retryNumber) * 1000;
    const randomMs = 1000 * Math.random();
    return seconds + randomMs;
};

axiosRetry(axios, {
    retries: 2,
    retryDelay,
    // retry on Network Error & 5xx responses
    retryCondition: axiosRetry.isRetryableError,
});

module.exports = axios;

We were able to see that 10% of our users (which are in crappy school networks) were seeing sporadic "Network Errors" and that dropped down to <2% after adding in automatic retries on failure.

^ This is a screenshot of our errors is the count of "Network Errors" as they appear in NewRelic and are showing <1% of requests are erroring out.

Which leads to my last point:

Add error reporting to your front-end

Its helpful to have front-end error/event reporting so that you know whats happening in prod before your users tell you. At my day job, we use NewRelic Browser (paid service - no affiliation, just a fan) to send error events from the front-end. So whenever we catch an exception, we log the error message, along with the stack trace (although thats sometimes useless with minified bundles), and some metadata about the current session so we can try to recreate it.

Other tools that fill this space are Sentry + browser SDK, Rollbar, and a whole bunch of other useful ones listed here

Wrapping up

If you get nothing else out of this, do one thing.

Go to your code base now, and review how you're handling errors with axios.

• Check if you're doing automatic retries, and consider adding axios-retry if you aren't
• Check that you're catching errors, and letting the user know that something has happened. axios.get(...).catch(console.log) isn't good enough.

So. How do you handle your errors? Let me know in the comments.

I recently became tech lead of my team after the previous lead left suddenly. This wasn't my first time filling in the tech lead's shoes, and I've tried to study a lot about being a lead (check out my recommended book list for new tech leads). One of the first items on any leads list, according to "The Internet(tm)", is to set up 1-1s with people who reported to me. Now, we all understand its a best practice that we should do, but how much we follow through it on can be questionable, kinda like saying you'll take a Cod Liver oil supplement, but the bottle has been sitting there, unopened on your kitchen counter, reminding you of how it tastes gross so you don't do it.

As I stared at the item on my Trello board, I decided to procrastinate it. I've already wasted 15 minutes by thinking about why I don't want to do it. Instead, I'll take an easy issue off the list for this sprint, to get me a quick fix - like a sugary drink that only makes you thirstier. Its familiar, readily available, and gives me the cycle of satisfaction of pushing code out to production.

Why did I keep pushing it out?

I thought devs would hate 1-1s. They just want to code without getting interrupted by "management" asking silly questions about your happiness. Why would I want to add another meeting to their calendar? They're senior so surely they'll speak up if they need something. So I can procrastinate this.

Maybe theres someone who I feel doesn't really like me or vice versa (it happens, we're only human), and I'll have to have a 1-1, face-to-face conversation with them, and boy, is that going to be awkward, so I'll procrastinate.

There might be someone on the team who's not quite carrying their weight. I might have to bring up something about it, but they're going to respond poorly and it'll ruin my day. Giving negative feedback is so emotionally draining, and I hate conflict, so I'll procrastinate.

So how do you solve these issues?

You know what helps? Talking to your team. Regularly. In private. Team meetings dont count, nor do retros.

Why?

You might have a senior dev who leaves your company because he felt people didn't care about his hard work. You thought he was doing just fine, he should have said something, right? He probably didn't have a chance to and felt uncomfortable bringing it up because they thought you would think its stupid and didn't care. If only you had a chance to regularly catch up with him and let him that it would be the opposite, he would have mentioned it.

You might have a low-performing dev who doesn't know they're not carrying their weight. They think they're doing a great job because no one has said anything about it yet - no news is good news, right! If only you had a chance to talk to them regularly, you could give them feedback and prevent the rest of the team from resenting both that dev for creating more work for them, and the manager for not doing anything about it.

You also won't have two product managers breathing down your neck, because your team was supposed to deliver an important feature for another team, but that got delayed because a dev had to re-do another dev's work in order to finish a new feature. If only you talked to your team.

So how do you do it? Easy - set aside a consistent time where you and your team mate can have a private conversation

• about their compensation, and employment
• about their work
• about any problems with other devs

...so, fine. I guess I'll just schedule my 1-1s to talk with my team today.

For other helpful resources for new tech leads, check out:

• tips for avoiding burn out as a new tech lead
• 9 books that helped me navigate my first time as a tech lead

You can also watch me live-code this walkthrough over on my Youtube channel - check it out! [embed]https://www.youtube.com/watch?v=qS4dY7syQwA [/embed]

Create a new react app and add a sign-in state

Start with a bare react app... npx create-react-app one-tap-demo

For this example app, I'll be using the JS library to initialize the one-tap prompt. The reference guide shows you how to add it using mostly HTML, but if you're using a front-end framework, its easier to use just JS to configure it.

Add some state to keep track of when the user has signed in

function App() {
+   const [isSignedIn, setIsSignedIn] = useState(false)
    return (
        <div className="App">
            <header className="App-header">
                <img src={logo} className="App-logo" alt="logo" />
+                { isSignedIn ? <div>You are signed in</div> : <div>You are not signed in</div>}
            </header>
        </div>
    )
}

Add the GSI

Add the Google Sign-In library (also called GSI) dynamically when your application starts

function App() {
    const [isSignedIn, setIsSignedIn] = useState(false)

+     const initializeGsi = () => {
+        google.accounts.id.initialize({
+            client_id: 'insert-your-client-id-here',
+        });
+        google.accounts.id.prompt(notification => {
+            console.log(notification)
+        });
+ }
+
+    useEffect(() => {
+        const script = document.createElement('script')
+        script.src = 'https://accounts.google.com/gsi/client'
+        script.onload = initializeGSI()
+        script.async = true;
+        document.querySelector('body').appendChild(script)
+    }, [])

}

There's 2 API calls - one to configure the library, and one to show the user the prompt (after the library has been configured). To see all possible configuration options, check the reference here.

I added it as a useEffect hook with [] as an arg, so that it only runs once after the first render. ref

When you refresh the page, if you got it all right the first time, you'll see the prompt.

Get a Client ID from your Google Developer Console

Follow this guide for adding your Get your Google API client ID

When I refreshed the page after following the steps and adding my client id to the app, I got this error message:

[GSI] Origin is not an authorized javascript origin

For me, it meant that my Google OAuth Client ID is misconfigured. I missed the "Key Point" on the official walkthrough - which only applies if we're using localhost as our domain.

• Confirm that your site URL (i.e. http://localhost:3000) is added as both an authorized Javascript origin and as a valid redirect URI, in the Google OAuth Client Console.
• IMPORTANT You ALSO need to add http://localhost as an authorized Javascript origin. This only seems necessary in development when you might be using a different port in your URL (we are).

Using the sign-in button

Now when you refresh the page, it should be working, and you should see the prompt. If you don't see the prompt, check your developer console for errors, and if that doesn't help - see the section on Debugging below.

IF THIS IS YOUR FIRST TIME DOING THIS, DO NOT CLICK THE X BUTTON ON THE PROMPT BEFORE READING THIS WARNING!

WARNING 1: Clicking the X button on the one-tap prompt dismisses the prompt. If you refresh the page after this, you won't see the button come back. Why?

The One Tap library has some additional side effects around dismissing the prompt. If you've clicked the X button, a cookie has been added to your domain called g_state. Here's a screenshot of where you can find it - if you clear that cookie value, you'll see the prompt come back.

WARNING 2: Clicking the X button more than once will enter you into an Exponential Cool Down mode - see the reference here. What does that mean?

• You cannot clear cookies or use an incognito window to get around it (at least I couldn't). It seems to be based on your browser and website (maybe IP?), its not clear. If you accidentally run into this, time to take a break. Or try a different browser/website URL.
• After I dismissed it, I couldn't see it for 10-15 minutes, although the table on the developer guide suggests I wouldn't see it for 2 hours. In any case, its an annoying thing to have to run into during development.

Debugging issues with One Tap sign-in

The developer guide suggests this as example code for your prompt. But it flys over an important detail that the reason WHY your prompt did not display, or got skipped, or got dismissed is also in the notification object.

google.accounts.id.prompt(notification => {
      if (notification.isNotDisplayed() || notification.isSkippedMoment()) {
                  // continue with another identity provider.
      }
})

There are 3 types of notification moments - display, skipped, dismissed and each one has their own list of possible reasons, with its own API call to figure it out - see here for the full list. If you're having problems with the button and you don't know why, it might be helpful to use the snippet below to see what those reasons look like:

google.accounts.id.prompt(notification => {
+      if (notification.isNotDisplayed()) {
+          console.log(notification.getNotDisplayedReason())
+      } else if (notification.isSkippedMoment()) {
+          console.log(notification.getSkippedReason())
+      } else if(notification.isDismissedMoment()) {
+          console.log(notification.getDismissedReason())
+      }
        // continue with another identity provider.
    });

One of the reasons you might see is opt_out_or_no_session. This can mean that

• A. your user has "opted out" of the prompt by dismissing it. You can try clearing the g_state cookie that might be on your domain, if you dismissed it by accident
• B. your user does not have a current Google session in your current browser session.
  • While this is a passwordless sign-on via Google, it does require you to have signed into Google (presumably with a password) at some earlier point.
  • If you are using an Incognito window, make sure you sign in to Google within that window.

Now that your user has signed in

Once you have selected your account and signed in with no errors, its time to hook it into your React app. If you've used the Google Sign-In for Websites library before (see here for my guide on setting it up), there's an API to let you get at the user's info. But with the One Tap Sign-In for Web library, you only get the users id token (aka their JWT token).

That means you need to decode the ID token to get the users info. We can do that by adding the jwt-decode library with npm install --save jwt-decode

To do all this, add a callback to your initialize block:

+ import jwt_decode from 'jwt-decode'

function App() {
    const [isSignedIn, setIsSignedIn] = useState(false)
+   const [userInfo, setUserInfo] = useState(null)
+   const onOneTapSignedIn(response => {
+       setIsSignedIn(true)
+       const decodedToken = jwt_decode(response.credential)
+       setUserInfo({...decodedToken})
+   })

     const initializeGsi = () => {
        google.accounts.id.initialize({
            client_id: 'insert-your-client-id-here',
+            callback: onOneTapSignedIn
        });
        ...
 }
    ...
    return (
        <div className="App">
            <header className="App-header">
                <img src={logo} className="App-logo" alt="logo" />
+               { isSignedIn ?
+                   <div>Hello {userInfo.name} ({userInfo.email})</div> :
+                   <div>You are not signed in</div>
+               }
            </header>
        </div>
    )
}

To see all the user info that is available to you, see the dev guide here

Signing out

The docs suggest adding a <div id="g_id_signout"></div> to your page, but its not clear if the library is supposed to create a sign-out button for you. I think the answer is no, because I tried it, and nothing happens.

My current theory is that signing-out is meant to be left to your own application, and can be as easy as refreshing the page.

• In this post, I'm only using the One-Tap button on the front-end since I have no login system myself. Whenever you refresh the page, you'll see the prompt even if you just finished signing in.
• If I wanted to integrate this with an existing login system, "sign-out" would mean signing out of my own application (and not out of my google account)
• This flow works out as long as you dont enable the auto sign-in option.

+ const signout = () => {
+     // refresh the page
+     window.location.reload();
+ }

return (
    <div className="App">
        <header className="App-header">
            <img src={logo} className="App-logo" alt="logo" />
            { isSignedIn ?
+               <div>
+                   Hello {userInfo.name} ({userInfo.email})
+                   <div className="g_id_signout"
+                       onClick={() => signout()}>
+                       Sign Out
+                    </div>
               </div> :
               <div>You are not signed in</div>
            }
        </header>
    </div>
)

Limitations of the One Tap Sign-In button

Also lost in the developer guide is this comment for the prompt snippet // continue with another identity provider. which brings us to the section on limitations of this sign-in prompt.

• The One Tap Sign-In button only works on Chrome & Firefox across Android, iOS, macOS, Linux, Window 10. If you have users on Safari or Edge, they won't see the prompt. When I try it, I get a Not Displayed error with reason opt_out_or_no_session :shrug:
• If your users accidentally dismiss the prompt (see the warning above if you missed it the first time), they will also see opt_out_or_no_session as the Not Displayed reason, and they will be unable to sign-in.
• The library (and the interface itself) is different from the Google Sign-In for Web library. The One Tap library uses google.accounts.id.initialize() to initialize the app, and the other one uses gapi.auth2.init() - That seems like a missed opportunity to put both login systems behind the same interface.
• There's no sign out button - the snippet thats mentioned in the docs doesn't seem to do anything. My guess is that a sign-out button could mean refreshing the page which would cause the prompt to appear again, effectively signing you out.

It's highlighted on the main page of the dev docs, but you can't use this library alone. I did it here for the purposes of a hello world example, but its meant to be an upgrade to your login experience.

Try it out

I've pushed this sample code to github available on intricatecloud/google-one-tap-web-demo. Instructions to run the demo in the README.

It's worth taking a look at how some of these other sites have implemented the login workflow. Sign in to Google in your current browser session, and then visit medium.com to see the prompt in action.

Last week, I saw a Reddit comment thread that was asking about coding games - games where you have to write code to play the game. I've heard of a couple over the years, but never explored the genre. I went down the rabbit hole over the weekend, and was amazed at a world I didn't know existed. Here's the games that really stood out to me, and they range from beginner-friendly to advanced development knowledge required.

Flexbox Froggy & Grid Garden

These two games are friendly for those that are learning CSS. Make a frog move around the screen with Flexbox Froggy or plant some carrots with Grid Garden. Even as a dev with decent CSS - some of these took me a minute to figure out. Its not often that you use CSS to control a game!

These games have a bit of chatter around them online so there are also resources for helping you if you get stuck, so you can search for "grid garden answers" to make your way!

CodeCombat

CodeCombat is an RPG-like game where you have a character that you control with Javascript, Python, or C++ (and Coffeescript!). The game is beginner-friendly for those learning JS or Python. You progress through levels writing different bits of code, and you can level up your skills and abilities as you go through each level. I was a huge fan of Diablo and this feels like that kind of RPG except rather than mouse-clicking all over the screen, you write some Javascript to beat the level.

CodinGame

If you thought CodeCombat was fun - get a load of CodinGame. Its pretty feature packed. You go through a series of challenges where you need to write or edit some code to make things happen. As you complete each challenge, you can see your progress on a map. You get achievements for your progress, and access to CodeClash. A CodeClash is a multiplayer challenge where you and a few other people participate in a code challenge - where you try to write code to get the most tests to pass the fastest.

There's a leaderboard, a chat, and you can see other people's submissions (on the Code Clash anyway). They also have practice challenges that have easy/medium/hard difficulty - they have something for everyone here. Easy to spend a fun 20 minutes here.

Untrusted

I'm not sure if Untrusted is a play on Unchartered the game, but this game was pretty fun to get started on.

This one is definitely for intermediate-advanced JS developers. Make your way through various puzzles using javascript to help break the puzzle you're in, and move to the next level. The concept and game play was pretty fun and my favorite (maybe a close second behind CodinGame). You have to be able to read Javascript code, and you should at least be good at getting your JS to do the wrong thing (🙋‍♂️ I'm a pro at this by now).

Capture the Flag & CTFLearn

I've always heard of capture the flag events, most in the context of First-Person Shooter games, but I had no idea what a cybersecurity CTF is! A Capture the Flag (CTF) event is where teams are presented with coding or hacking challenges where they need to search for a flag, and then submit it when they find it for points. Most points win.

This is best suited towards someone (or teams) with experience in web technologies, although they do have more beginner-friendly challenges.

What really got me interested in this was running across the Live Overflow channel on YouTube where he goes into what a live CTF event actually looks like behind the scenes. He cut out all the boring parts of it but really goes into how his team participates in the event. I thought it would have been that you can show up and participate, but maybe not! Check it out on YouTube here.

[embed]https://www.youtube.com/watch?v=DGuRI_SPZYg&t=516s[/embed]

Typically, CTFs are organized by someone and run during some time period. Teams are able to register to participate. The host would usually provide a live environment for hacking or provide files that you'd need to solve the challenge. CTF Time is a useful listing of CTF events around the global, around the year.

If you don't want to participate in a live event with a team, CTFLearn is a way to practice Capture-the-Flag style challenges across a variety of topics in the systems space. I did a few bits of the Forensics challenge on CTFLearn and it really got me scratching my head for a bit - definitely a fun challenge, but made me question whether I knew how to solve it or not.

I hope at least one of these games piques your interest, there's something here for every difficulty level. If you do try one of these out - leave a comment or hit me up on Twitter @intricatecloud and let me know what you thought!

• Handling requests that sometimes take longer than usual and leave the user looking at an empty page
• Handling requests that have errored and you want to give the user a way out
• Handling a possible timeout where the request is taking significantly longer than usual and giving the user an updated loading message so they see the page isn't frozen
• Handling a definite timeout where you want to abort the request to give the user a more specific error message

I'll start with a very innocent example - When the ResultsList component loads, it request some data, and displays it in the UI.

const ResultsList = () => {
  const [results, setResults] = useState([])
  
  // run on load
  useEffect(() => {
    axios.get(apiUrl).then(response => {
      setResults(response.data)
    }).catch(err => {
      console.log(err)
    })
  }, [])
  
  return (
    <ul>
      { results.map(result => {
          return <li>{result.name}</li>
        })
      }
    </ul>
    )
  }

The data from the API is being stored in the results field of the component's state. It starts as an empty array, and gets replaced with the actual results when the data is fetched.

This is buggy. Here's why.

1. Handling long response times

Not all users will have a great connection, even if your backend is stable, and that request may take a little longer to complete than usual. In this example, there's no feedback to the user that something is happening, and when there are issues, the page will be empty for a lot longer than you're expecting.

It will make your users ask, "Am I supposed to be seeing something yet?"

This question can be solved with a few snippets:

const ResultsList = () => {
+  const [results, setResults] = useState(null)

...

+  const getListItems = () => {
+    if(results) {
+      return results.map(result => {
+        return <li>{result.name}</li>
+    })
+    } else {
+      return (
+        <div>
+          <i class="fas fa-spinner fa-spin"></i>
+          Results are loading...
+       </div>
+      )
+    }
+   }
+
+  return (
+    <div>
+      <ul>{getListItems()}</ul>
+    </div>
+    )
  }

There are 2 changes

• Rather than initialize results to an empty array [], its initialized to null.
• I can then check if I should show a loading message, or if I should show the list with data.

Pro-tip: Add spinners. They're so easy. And fun. Your users will be less confused. I say this as someone who was too lazy to add spinners.

2. Handling errors

When something goes wrong, the easy options are to write it to the console, or the show user an error message. The best error message is one that can tell the user how to fix whatever just happened. I have more details on the axios error object on this post here

The easy option is to show the user something useful on any error, and offer them a way to fix things.

const ResultsList = () => {
  const [results, setResults] = useState(null)
+ const [error, setError] = useState(null)

+ const loadData = () => {
+   return axios.get(apiUrl).then(response => {
+     setResults(response.data)
+     setError(null)
+   }).catch(err => {
+     setError(err)
+   })
+ }

  // run on load
  useEffect(() => {
+   loadData()
-    ...
  }, [])

+ const getErrorView = () => {
+   return (
+     <div>
+       Oh no! Something went wrong.
+       <button onClick={() => loadData()}>
+         Try again
+.      </button>
+     </div>
+   )
+ }

  return (
    <div>
+    <ul>
+      {  error ? 
+        getListItems() : getErrorView() 
+      }
+    </ul>
-    <ul>{getListItems()}</ul>
    </div>
    )
  }

Here, I've added an error field to the component's state where I can keep track of errors and conditionally show an error message to the user. I give them a painfully generic error message, but I offer a way out via a button to Try again which will retry the request.

When the request succeeds, the error is cleared from the state, and the user sees the right info. Wonderful.

3. Handling a possible timeout

You get extra bonus points if you add this. Its not that its hard, its just that its quite considerate. Every once in awhile, a user will come across a loading spinner, and they'll wonder - "Is it frozen and the icon is just spinning or does it really take this long?"

If a request is taking awhile, you can give the user a little feedback in the form of, "This is taking longer than usual..."

+ const TIMEOUT_INTERVAL = 60 * 1000

const loadData = () => {
+   if (results) setResults(null)

    // make the request
    axios.get(apiUrl).then(response => {
      setResults(response.data)
      setError(null)
    }).catch(err => {
      setError(err)
    })

+   // show an update after a timeout period
+   setTimeout(() => {
+     if (!results && !error) {
+       setError(new Error('Timeout'))
+     }
+   }, TIMEOUT_INTERVAL)
}

const getErrorView = () => {
+   if (error.message === 'Timeout') {
+     <div>This is taking longer than usual</div>
+   } else {
      return (
        <div>
          Oh no! Something went wrong.
          <button onClick={() => loadData()}>
           Try again
          </button>
        </div>
      )
+    }
}

You can set a timer for whichever TIMEOUT_INTERVAL you want. When the timer executes, check whether the data has already loaded, and show the extra error message. If there are no results yet, and no errors, we're still waiting for data so you can show the updated loading message.

4. Handling a definite timeout

If you know a request is supposed to be quick, and you want to give the user quick feedback, you can set a timeout in the axios config.

const loadData = () => {
    if (results) setResults(null)

    // make the request
+    axios.get(apiUrl, { timeout: TIMEOUT_INTERVAL }).then(response => {
-    axios.get(apiUrl).then(response => {
      setResults(response.data)
      setError(null)
    }).catch(err => {
      setError(err)
    })
		...
}
const getErrorView = () => {
    if (error.message === 'Timeout') {
      <div>This is taking longer than usual</div>
+    } else if (error.message.includes('timeout')) {
+      <div>This is taking too long. Something is wrong - try again later.</div>
+    } else {
      return ...
    }
}

Axios will throw an error here when the request rejects and it'll have an error message like timeout of 30000ms exceeded

Get started

Take a look at your React projects that are working with APIs and review how you're handling errors. These tips are an easy way to give your users with a more resilient experience. If you've tried it out or have different ways of approaching your errors, let me know in the comments!

Cornell Tech also has an entrepreneurial program called Startup Studio that puts students in multi-disciplinary teams to build the basis of a startup, and in my class, they can develop a working prototype of their idea using tools like React & Firebase.

This was my first time teaching in a university setting. Years ago, I ran a non-profit to help teach underserved teenagers in NYC how to code with robotics, and now, the big difference is that I'm teaching adults. Surprisingly, the age doesn't make that big of a difference!

I enjoyed the experience of teaching, of watching students connect one idea in their head to another in real time. Students have big aspirations and the energy to do it. But the experience also had its downsides, so I thought it'd be helpful to share out my experience for other technical instructors & aspiring students (both in and out of university settings).

On Teaching

When I joined in 2021, we were still in the middle of the pandemic so my very first experience was teaching a class remotely over Zoom to ~45 students who had registered for the class.

Since it was a 1-credit course, my class started midway through the semester and lasted for 8 weeks. My class ran for an hour and 15 minutes each Monday at 3pm.

At my day job at Amplify Education, I'm used to working remotely and presenting in front of a room of blank squares with your initials as an avatar. So I didn't mind it too much and I had fun with it - like this pic where I use the backdrop of the conference room in The Office 🙂.

My biggest worry while preparing for the class was that I wouldn't have enough content to fill the time slot. It was my biggest dread. So I prepared a ton of content to go through in each session. Then reality would smack me in the face when I realize how hard it is to cover whatever I thought I would be able to cover.

On Teaching Programming

Since I'm teaching a grad level class, I assume that students can understand code and at least be able to put ideas together with code. And that's true to an extent. One of the nice things about Cornell Tech is that you can enroll even if you don't have a CS background, as long as you're able to figure it out on your own and catch up.

Unfortunately, for me, that means the experience range in the class goes from people who have never heard of git all the way to people who have already launched a web-based business. I have some students who have only taken Data Structures & Algorithms, others who only know Python with Jupyter Notebooks. One student shared that their intro to CS class was C++ and it was mostly focused on coding for biostats.

Multiple students would say, "I only know python for machine learning", worried about how they might perform in my class.

From a student's point of view, their only exposure to the industry is via their college experience, after all, that's what they are paying for. But some colleges are stuck with outdated ways and techniques of building software, and it doesn't line up with whats needed in the industry. The gap between writing some numpy scripts in Jupyter code and creating a product that people can use is huge.

It is impossible to cater to both ends - I tried and failed miserably.

My first 3 months of my first programming job was a mind opener in topics that never came up in school. Things like version control, continuous integration, environments was all a new concept to me and never mentioned in my college - so this was what I wanted cover in my course.

I also learned that many teachers who teach programming or other CS classes are not always teachers first. They do other work as part of their job at the university and the class is just one part of it, and for some - its their least favorite and required thing to do (and I get why!). They may not even have a background in teaching at all. One of my professors hadn't programmed professionally in years. His experience seemed outdated even in an intro class.

But I can't really talk either... I have no formal background in teaching either!

On Learning Programming

Its one thing to learn the syntax of a language, and its something else to use the language to do something more than console.log(). Lots of people struggle with both.

Lectures are a terrible format for learning. And the alternative where students do exercises during class falls apart quickly. Some students like to work in groups, some students want to work individually. There's a lot of slackers out there and people try to avoid them.

Some students work better when they can review material ahead of time. Some students just want to hear what you have to say that day. Some students rely on the Zoom recording, so they can be less alert during the actual class. Some students like a video format. Other students prefer a text-based format.

And holy moly, its a lot of work to put this all together from scratch. The crux of the problem is, I don't know how much I can reasonably cover within a semester's time, and I can make small course corrections based on feedback - but I can't make big shifts in the order I teach things mid-way through the semester (not easily anyway).

Students pay a pretty penny to get an education from a university, but given the structure and the incentives, universities (in general) don't have strong incentives to provide quality instruction. Cornell Tech pays a pretty penny to get professional industry leaders to teach their courses, and I think they have a good cross-section of practical experience + teaching experience. But students have very varied experiences across schools.

So students come in expecting to learn from people who are at the top of their game. And its possible they may get someone who is good at what they do, but can't communicate at all. Or you get someone who can teach, but they don't do the work professionally and might be behind the times.

On Grading

This was the hardest part to come to terms with. Early on, I told myself repeatedly - "I'm not out here to ruin anyones life." But at the same time, I had to define a bar for what constitutes acceptable work.

Grading is incredibly subjective. There is no standard for grades - especially for a class that you're creating. And the ranges will vary wildly from class to class. For one professor, an A+ means you have to go above and beyond whats expected of you in the class. For others, an A+ means you completed all the work that was expected of you. It is up to the teachers discretion to grade the students understanding of the material - this is hard to do.

The best advice I got was to base it on a real situation. If a student was to mention during a job interview that they took this class at Cornell Tech, and showed up, and didn't know any of the lingo, the interviewers would doubt the usefulness of their degree. So for me, an A/A+ meant that I believed you had enough to hold your own during a technical interview.

That said, some students are (obviously) very opinionated about how they should be graded. Some students think they should be graded on effort, others believe the amount of time spent should be a factor. Others want to do the work when they feel like it without penalty.

There was one F in my class this first semester but it was a student that had meant to drop the course. Because it was a 1-credit course, I tried to make it very easy with a minimal amount of work. I started the course with ~45 students and finished with 33 by the end of the semester.

Here's how they did

Maybe in a future post - I'll talk about the way I structured the course and why from an instructor's perspective.